Citrixa well-known multinational famous for its IT technologies (servers, cloud, web servers and more) warns of the exploit of a critical security vulnerability recently disclosed in NetScaler ADC and Gateway equipment, which could lead to disclosure of sensitive information.

What are the 7 Citrix vulnerabilities identified on NetScaler products

Identified as CVE-2023-4966 (CVSS score: 9.4), the vulnerability affects the following supported versions:

NetScaler ADC and NetScaler Gateway 14.1 before version 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before version 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before version 13.0-92.19 NetScaler ADC and NetScaler Gateway 12.1 (currently out of service) NetScaler ADC 13.1-FIPS before version 13.1-37.164 NetScaler ADC 12.1-FIPS before version 12.1-55.300 NetScaler ADC 12.1-NDcPP before version 12.1-55.300

However, for the exploitation of the vulnerabilities listed above to occur, the device must be configured as a Gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or virtual authorization and accounting server (authorization and accounting or AAA).

Although the patches for this flaw were released on October 10, 2023, Citrix has now revised the advisory to note that “exploits of CVE-2023-4966 have been observed on unpatched devices.”

Mandiant, owned by Google, in its own I notify published on Tuesday, said it had identified zero-day exploitation of the vulnerability starting from the end of August 2023.

“Successful exploit could result in the ability to hijack existing authenticated sessions, thus bypassing multi-factor authentication or other strong authentication requirements“, said the Google intelligence company on cyber threats from Citrix devices, and then added “These sessions may persist even after the update to mitigate CVE-2023-4966 has been deployed.”

Mandiant also said it detected the “hijacking” of sessions, in which session data was stolen before the patch was applied and subsequently used by some malicious person who remains in the shadows.

“The hijacking of authenticated sessions it could then lead to further permission-based access and the purpose of access that was granted to the identity or session”Mandiant later said, and further added “An attacker could use this method to collect additional credentialspivot laterally, and gain access to additional resources within an environment.”

The perpetrator(s) behind the cyberattacks has not been identifiedbut the campaign is thought to have targeted professional services, technology and government organisations.

In light of the active abuse of Citrix vulnerability and vulnerabilities that increasingly attract theAttention of cyber criminals, It is imperative that users hurry to update their instances to the latest version to mitigate potential threats, yes the updates, those things that many don’t like but which should be done instead.

“Organizations need to do more than simply apply the patch, they should also terminate all active sessions“said Mandiant CTO Charles Carmakal. “While this is not a remote code execution vulnerability, Please prioritize distribution of this patch given the active exploitation and criticality of the vulnerability.”

Two thoughts on updates

Given that, as just mentioned, many do not update and in some cases as soon as they buy a PC and a telephone they block them, thinking they are doing something clever, this is just one of the countless examples of the fact that, very often, It’s not so smart to cancel them.

It is true that in some cases they can cause problems, but it is equally true that very often on the company website it is also written whether it is better to avoid doing them and possibly wait, in the case of these 7 Citrix vulnerabilities as just seen It’s best to listen to the company’s advice.