Critical Citrix bug exploited by data thieves weeks before being patched

Updated Bad news for anyone using Citrix NetScaler ADC and NetScaler Gateway appliances: miscreants have been exploiting a critical information disclosure bug in these devices since late August — almost two months before a patch was issued.

Citrix disclosed and fixed the 9.4-rated flaw, tracked as CVE-2023-4966, last week. In addition to allowing crooks to steal sensitive data, the bug doesn't require any user interaction or privileges to exploit. 

But this week Mandiant warned that criminals have been using this flaw to hijack authentication sessions and snatch corporate info since late August. Criminals abused the vulnerability to break into tech firms, government organizations, and professional services companies, according to the Google-owned threat intel firm.

The other problem is that simply applying the patch isn't enough to prevent intrusions, or so we're told.

"Organizations need to do more than just apply the patch — they should also terminate all active sessions. These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed," Mandiant Consulting CTO Charles Carmakal said on LinkedIn. 

"Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated," he added.

Citrix did not respond to The Register's request for comments.

Depending on the permissions granted in an authenticated session, crooks could then steal more credentials, move laterally through the network and gain access to other resources within the victim's environment, Mandiant warned.

While the threat hunters don't yet know which nation-state or criminal organizations is behind the break-ins, Mandiant is "assessing whether it is a group focused on cyberespionage," Carmakal said. "We anticipate other threat actors with financial motivations will exploit this over time."

When asked how many organizations had been compromised, Carmakal said he can't share numbers right now, but told The Register, "the exploitation observed so far appears to be targeted in nature." 

"We expect more organizations will identify exploitation after reviewing the information we published yesterday," Carmakal said, adding that Mandiant is "not yet seeing mass exploitation of this vulnerability."

• It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems
• Don't just patch your Citrix gear, check for intrusion: Two bugs exploited in wild
• Cisco's critical zero-day bug gets even worse – 'thousands' of IOS XE devices pwned
• US cybercops urge admins to patch amid ongoing Confluence chaos

In addition to applying the patch, Mandiant suggests organizations take extra measures to remediate the issue and reduce their risk [PDF].

This includes isolating vulnerable appliances, terminating all session after upgrading to the latest firmware versions, and connecting to the NetScaler appliance using the CLI. Rotate credentials for identities that have access to vulnerable appliances, and if any backdoors or webshells were detected, then rebuild the appliance using a clean-source image, is the advice.

This is the second critical bug in Citrix gear that crims found and exploited before the vendor issued a patch. The earlier code-injection flaw, tracked as CVE-2023-3519, was used to compromise hundreds of servers before Citrix fixed the flaw in July.

According to Mandiant, the likely culprits are China-based spies, but it didn't have enough evidence for firm attribution. ®

Updated to add

"When the vulnerability was made public with a patch October 10, there was no indication from our customers or industry partners that an exploit existed in the wild," Citrix told The Register post publication. "The vulnerability was identified internally."