The recent discovery and exploitation of CVE-2023-4966, a significant vulnerability in Citrix NetScaler Gateway and ADC devices, underscores the critical importance of cybersecurity vigilance. Initially uncovered and reported by Citrix, the vulnerability gained widespread attention following the publication of a proof-of-concept named “CitrixBleed” by AssetNote. The situation escalated when threat actors began exploiting the vulnerability by mid-October, prompting the CISA to add it to the Known Exploited Vulnerability Catalogue.
The LockBit ransomware group’s targeting of this vulnerability to compromise Citrix ADCs has further amplified concerns. In response, Citrix issued a security advisory, urging users to patch the vulnerability and implement specific commands to mitigate any ongoing risk from active malicious sessions.
Key Recommendations from Citrix
Citrix’s response includes a set of critical actions for users:
- Patch the Vulnerability: Users must immediately patch their Citrix NetScaler Gateway and ADC devices to the latest version that addresses CVE-2023-4966.
- Terminate Active Sessions: Following the patch, users should execute the following commands to end all active sessions on the device:
kill aaa session -all
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
clear lb persistentSessions
- Investigative Steps: Citrix advises users to:
- Monitor for unusual session activity, especially related to virtual desktops.
- Review the ‘SSLVPN TCPCONNSTAT’ logs for discrepancies between ‘Client_ip’ and ‘Source’ IP addresses.
- Post-forensics, remove core dumps from
/var/coreto prevent partition overflow.
- NetScaler ADM Users: For those using NetScaler ADM, Citrix recommends utilizing its security features, including security advisory, upgrade advisory, and file integrity monitoring, to expedite patching and enhance security.
Citrix has released a comprehensive report detailing these recommendations and investigative steps, highlighting their significance and application.
Importance of Timely Action
For Citrix NetScaler users, it is imperative to immediately patch vulnerable instances. This proactive measure is crucial to safeguard against exploitation by threat actors, who are actively seeking to leverage this vulnerability. The seriousness of this issue is underscored by the involvement of well-known ransomware groups like LockBit, which are known for their destructive capabilities.
Overall, the situation surrounding CVE-2023-4966 serves as a potent reminder of the ongoing and evolving threats in the cybersecurity landscape. Organizations must remain vigilant, regularly update their systems, and follow best practices as recommended by vendors and cybersecurity authorities to protect against such vulnerabilities.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.