Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability. The company patched this critical sensitive information disclosure flaw two weeks ago, assigning it a 9.4/10 severity rating as it's remotely exploitable by unauthenticated attackers in low-complexity attacks that don't require user interaction. NetScaler appliances must be configured as a Gateway or an AAA virtual server to be vulnerable to attacks. While the company had no evidence the vulnerability was being exploited in the wild when the fix was released, ongoing exploitation was disclosed by Mandiant one week later. The cybersecurity company said threat actors had been exploiting CVE-2023-4966 as a zero-day since late August 2023 to steal authentication sessions and hijack accounts, which could help the attackers bypass multifactor authentication or other strong auth requirements. Mandiant cautioned that compromised sessions persist even after patching and, depending on the compromised accounts' permissions, attackers could move laterally across the network or compromise other accounts. Mandiant found instances where CVE-2023-4966 was exploited to infiltrate the infrastructure of government entities and technology corporations. "We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability," Citrix warned today. "If you are using affected builds and have configured NetScaler ADC as a gateway or as an AAA virtual server, we strongly recommend that you immediately install the recommended builds because this vulnerability has been identified as critical." Citrix added that it's "Unable to provide forensic analysis to determine if a system may have been compromised." Kill icaconnection -all kill rdp connection -all kill pcoipConnection -all kill aaa session -all clear lb persistentSessions. NetScaler ADC and NetScaler Gateway devices, when not set up as gateways or as AAA virtual servers, are not vulnerable to CVE-2023-4966 attacks. This also includes products like NetScaler Application Delivery Management and Citrix SD-WAN, as Citrix confirmed. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks. Recently patched Citrix NetScaler bug exploited as zero-day since August. Cisco warns of new IOS XE zero-day actively exploited in attacks. Fake 'RedAlert' rocket alert app for Israel installs Android spyware. CISA, FBI urge admins to patch Atlassian Confluence immediately.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000