A proof-of-concept exploit for the ‘Citrix Bleed’ vulnerability, CVE-2023-4966, allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and Gateway devices. Citrix patched the flaw on October 10 but did not provide many details about it. Mandiant revealed that the flaw was exploited in limited attacks as zero day at the end of August. Citrix issued a warning to administrators to fix the fault due to an uptick in exploitation attempts. Assetnote researchers published a PoC exploit on GitHub to demonstrate the vulnerability and help with exposure testing.
The vulnerability is related to an unauthenticated buffer affecting Citrix NetScaler devices used for load balancing, firewall deployment, traffic management, VPN, and user authentication. Assetnote found changes in the vulnerable pre-patched and patched versions of the NetScaler, with two functions featuring additional bounds checks in the patched version. The vulnerability stems from a buffer over-read caused by the return value of the snprintf function.
By exploiting the vulnerability, analysts were able to retrieve session cookies from vulnerable NetScaler endpoints by exceeding buffer limits through the hostname value. This allowed attackers to hijack accounts and gain unrestricted access to devices. With the public availability of the exploit, threat actors are expected to target Citrix NetScaler devices for initial access to corporate networks. Shadowserver reported increased exploitation attempts following the release of the PoC, indicating ongoing malicious activity.
Due to the potential risk of ransomware attacks and data theft, system administrators are strongly advised to immediately deploy patches to address the CVE-2023-4966 vulnerability.
Article Source
https://www.bleepingcomputer.com/news/security/citrix-bleed-exploit-lets-hackers-hijack-netscaler-accounts/amp/