New critical Citrix ADC and Gateway zero-day vulnerability

A zero-day vulnerability has been found in NetScaler Application Delivery Controller (formerly Citrix ADC and NetScaler Gateway (formerly Citrix Gateway). This flaw, identified as CVE-2023-4966 by the Common Vulnerabilities and Exposures system, recently had a patch released by Citrix.

The vulnerability holds a severity rating of 9.4/10 due to its remote exploitability by unauthenticated attackers in low-complexity attacks that don't necessitate user interaction. To safeguard systems and data, it is highly recommended to take immediate action, as described below.

Overview of the CVE-2023-4966 exploit

Threat actors have been exploiting this as a zero-day since late August 2023, stealing authentication sessions and hijacking accounts. This enables them to bypass multifactor authentication or other strong authentication requirements.

“The exploit abuses a buffer over-read weakness in the snprintf() function which allows valid session cookies to be returned to an attacker. Snprintf() is often recommended as the more secure version of sprintf(), however, this case demonstrates why developers must have a thorough knowledge of the functions they are using.”

- Rogier Fischer, 2023

The affected versions of NetScaler ADC and NetScaler Gateway are:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and are vulnerable.

While there was no evidence of exploitation in the wild at the time of the fix release, on October 10th, evidence of ongoing exploitation was disclosed one week later. Dylan Pindur, the security analyst who discovered the exploit, warns that compromised sessions persist even after patching. Depending on the compromised accounts' permissions, attackers could move laterally across the network or compromise other accounts.

Remediating the threat

Exploits of CVE-2023-4966 on unmitigated appliances have been observed. Hadrian strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible:

NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Citrix has reported incidents consistent with session hijacking and has received credible reports of targeted attacks exploiting this vulnerability. It is therefore important to reset the credentials of all potentially impacted accounts.

Hadrian has proactively notified our platform users to assist them in mitigating any potential risks.