Citrix is warning of exploitation of a just lately disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of delicate details.
Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability impacts the following supported versions –
- NetScaler ADC and NetScaler Gateway 14.1 ahead of 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13. in advance of 13.-92.19
- NetScaler ADC and NetScaler Gateway 12.1 (at present close-of-lifetime)
- NetScaler ADC 13.1-FIPS just before 13.1-37.164
- NetScaler ADC 12.1-FIPS right before 12.1-55.300, and
- NetScaler ADC 12.1-NDcPP prior to 12.1-55.300
Having said that, for exploitation to happen, it necessitates the product to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.
Although patches for the flaw were unveiled on Oct 10, 2023, Citrix has now revised the advisory to be aware that “exploits of CVE-2023-4966 on unmitigated appliances have been observed.”
Google-owned Mandiant, in its individual warn published Tuesday, mentioned it discovered zero-working day exploitation of the vulnerability in the wild commencing in late August 2023.
“Productive exploitation could final result in the capability to hijack current authenticated periods, thus bypassing multi-factor authentication or other powerful authentication requirements,” the menace intelligence company said.
“These periods could persist after the update to mitigate CVE-2023-4966 has been deployed.”
Mandiant also claimed it detected session hijacking wherever session details was stolen in advance of the patch deployment, and subsequently applied by an unspecified danger actor.
“The authenticated session hijacking could then final result in additional downstream access based on the permissions and scope of accessibility that the id or session was permitted,” it even further included.
“A threat actor could make use of this strategy to harvest more qualifications, laterally pivot, and achieve obtain to added methods within an environment.”
The menace actor behind the attacks has not been established, but the marketing campaign is mentioned to have focused experienced products and services, technology, and federal government businesses.
In gentle of lively abuse of the flaw and with Citrix bugs starting to be a lightning rod for danger actors, it truly is vital that customers shift quickly to update their circumstances to the hottest variation to mitigate probable threats.
“Companies require to do a lot more than just use the patch – they should also terminate all lively sessions,” Mandiant CTO Charles Carmakal said. “Even though this is not a remote code execution vulnerability, please prioritize the deployment of this patch given the active exploitation and vulnerability criticality.”
Observed this short article interesting? Stick to us on Twitter and LinkedIn to read through a lot more exclusive articles we submit.
Some areas of this write-up are sourced from: