A proof-of-concept exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details. On October 17, Mandiant revealed that the flaw was abused as a zero-day in limited attacks since late August 2023. This Monday, Citrix issued a subsequent warning to administrators of NetScaler ADC and Gateway appliances, urging them to patch the flaw immediately, as the rate of exploitation has started to pick up. Today, researchers at Assetnote shared more details about the exploitation method of CVE-2023-4966 and published a PoC exploit on GitHub to demonstrate their findings and help those who want to test for exposure. The CVE-2023-4966 Citrix Bleed flaw is an unauthenticated buffer-related vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, network devices used for load balancing, firewall implementation, traffic management, VPN, and user authentication. By analyzing the unpatched and patched versions of NetScaler, Assetnote found 50 function changes. The vulnerability emerges from the return value of the snprintf function, which can lead to a buffer over-read if exploited. The patched version ensures that a response will only be sent if snprintf returns a value lower than 0x20000. Armed with that knowledge, Assetnote's analysts attempted to exploit vulnerable NetScaler endpoints. "We could clearly see a lot of leaked memory immediately following the JSON payload," explains Assetnote in the report. By exploiting the vulnerability thousands of times for testing, the analysts consistently located a 32-65 byte long hex string that is a session cookie. Retrieving that cookie makes it possible for attackers to hijack accounts and gain unrestricted access to vulnerable appliances. Now that a CVE-2023-4966 exploit is publicly available, it is expected that threat actors will increase their targeting of Citrix Netscaler devices to gain initial access to corporate networks. As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw. Recently patched Citrix NetScaler bug exploited as zero-day since August. Exploit available for critical WS FTP bug exploited in attacks. New critical Citrix NetScaler flaw exposes 'sensitive' data. Exploits released for Linux flaw giving root on major distros. Fake WinRAR proof-of-concept exploit drops VenomRAT malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000