A critical security issue was announced last week affecting Citrix NetScaler (ADC and Gateway) products. BreachBits analyzed this threat and rapidly deployed detection capabilities to our BreachRisk™ subscribers. If you subscribe to BreachRisk™, we have enhanced your attack surface detection capabilities and you will be sent an email notifying you if this issue was detected in your environment. Testing capabilities are forthcoming.
If you are a BreachRisk™ subscriber, check your email for a BreachBits Service Advisory to see if we detect this threat in your attack surface. Email subject includes the phrase "BreachRisk™ Emerging Threat Alert 2023-18 - NetScaler/Citrix Gateway and ADC Vulnerability (CVE-2023-4966)".
Summary: Organizations using vulnerable Citrix NetScaler versions should check for any indications of unusual account activity, and update to the latest available versions as soon as possible. A proof of concept has been made publicly available for this vulnerability. Successful attackers can takeover the account of a legitimate user.
Background
Citrix announced last week that exploitation of a newly-discovered vulnerability (CVE-2023-4966) in Citrix Netscaler products has been observed. Successful exploitation allows attackers to extract sensitive authentication details from memory of the affected devices, this information can be used to authenticate to the device on behalf of the victim user.
The Citrix Security Advisory for Netscaler products contains guidance for users of the affected appliance, along with technical details that are being updated as the situation develops.
As a part of our continuous process, BreachBits has analyzed this threat and has deployed detection capability for BreachRisk™ subscribers.
Impact and Likelihood
According to the National Vulnerability Database, a successful attack has a high impact to data and processes accessible by the victim user, but no impact to integrity or availability. For the victim, it could result in account takeover, allowing attackers to authenticate to vulnerable devices on their behalf.
Likelihood is high: this attack is extremely easy to conduct, even by unskilled attackers. A proof-of-concept exploit for this vulnerability has been released and Citrix has confirmed exploitation as early as mid October. This vulnerability will likely garner attention from threat actors of all skill levels.
Affected Applications
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300
Recommendations
BreachBits recommends the following actions if your organization operates an affected version of Citrix Netscaler (ADC or Gateway). Further details of how to implement these recommendations can be found in the Citrix Security Advisory.
If any of the affected builds are in use in your environment, Citrix recommends killing all active and persistent sessions before updating, this includes VPN and RDP sessions.
As of 10 Oct, Citrix has released updates for all affected builds. If applicable, BreachBits recommends installing this update as soon as possible.
What we are doing
Our BreachRisk™ service helps subscribers automatically and continuously detect, gauge, and test the ways attackers can cause a cyber breach. As a part of this service, when new threats are announced, we rapidly research the threat and notify our customers if they appear to be affected. BreachRisk™ customers have been notified about the threat and made aware if they are affected or not.
Specifically, BreachBits has supported our BreachRisk™ customers by:
Rapidly developed detection capability and scanned in-scope assets for the threat. Testing capability is forthcoming.
Notifying customers of all service levels if they are affected or not. The subject of the email contains the phrase, "BreachRisk™ Emerging Threat Alert 2023-18 - NetScaler/Citrix Gateway and ADC Vulnerability (CVE-2023-4966)".
Scanned organizations monitored by our BreachRisk™ Portfolio customers to determine if organizations they care about are affected.
We provide our BreachRisk™ for Business and BreachRisk™ Portfolio customers continuous threat detection and testing services for threats in situations like this. Our job is to answer these questions for our clients:
"Does this threat affect me?"
"If so, where am I affected?"
"How does this affect my overall cyber risk profile (i.e. my BreachRisk™ Score)?"
"Where does this threat stack up against other ongoing cyber threats?"
"How will I know when the situation is handled?"
As a part of our routine process, we have worked tirelessly since the announcement of this vulnerability to integrate capabilities to match this threat. Our automation and A.I.-based systems are designed to accept rapid development for threats such as these. We don't just report technical data, we put the threat into context using BreachRisk™ Score and BreachRisk™ Report.
As details of attack methods continue to become available, we expect attackers of lower skill levels to also learn to execute this attack. BreachBits will continue to update and refine our BreachRisk™ solutions to identify exposed vulnerable and attack methods. BreachBits will continue to initiate new BreachRisk™ assessment cycles for customers when new affected software is released publicly to help our customers stay ahead of attackers.
What You Should Do
Consider taking the following actions, especially if you are not a BreachRisk™ customer.:
Identify if the threat is present on your systems.
Pinpoint where you are affected.
Consider how your business would be impacted if the affected element were to be shut down, breached, or taken over by an attacker.
Determine if this risk is significant enough to divert resources from other efforts, and make a decision to attempt a fix or not.
If you attempt to fix, follow up to verify the fix was applied. You may need to repeat this cycle as more information emerges.
Now that the vulnerability is public, be on the lookout for further guidance from software developers and security firms.
If you are a BreachRisk™ Subscriber
If you are a BreachRisk™ for Business customer, we are already examining your external attack surface. You should also do the following:
Check your email over the next 24 hours for a summary of whether we believe you are affected or not.
Provide any IT infrastructure that we haven't already discovered via the Verifications page on your Dashboard. This will allow us to identify more of the attack pathways that are accessible from the internet.
Enable Penetration Testing if you have a Pro or Premium subscription. This will allow us to test any attack pathways we identify to see if an attacker can achieve a breach.
Since we are inspecting your external attack surface, you should have your security team search your internal systems, which we may not be able to see.
If you need any assistance or questions, contact us at support@breachbits.com.
If you are a BreachRisk™ Portfolio client, consider contacting the companies in your portfolio and encourage them to take the steps above if they haven't already. You can also monitor your companies for a sharp risk in their BreachRisk™ Score, which may indicate an affected company.
Update Log
27 Oct 2023: Published