Disclamer: This blogpost is made to help you understanding CVE-2023-4966 and CVE-2023-4967 and how you can check if you are vulnerable and community guidelines how to fix your environment. This blogpost is not covering the details of the exploits out here as I have no interest in sharing what the red team is doing. All responsibility is your own. I highly recommend you read the blogpost and take action immediately, don’t hesitate.
(Last updated 26th October 2023)

Timeline for CVE-2023-4966 and CVE-2023-4967

The timeline for CVE-2023-4966 and CVE-2023-4967 will be updated as things progress.
(last updated 26th October 2023)

10th October 2023

Citrix came out with a critical security message for Citrix ADC aka Netscaler, Citrix Access Gateway the 10th October 2023 which is CVE-2023-4966 and CVE-2023-4967 Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). NetScaler ADC and NetScaler Gateway contain unauthenticated buffer-related vulnerabilities.

Citrix has noted that the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server to be vulnerable.

CVE-2023-4966 have a CVSS score 9.4 rating out of 10.
CVE-2023-4967 have a CVSS score 8.2 rating out of 10.

Citrix update creates CTX579459 which contains info about CVE-2023-4966 and CVE-2023-4967

Firmware builds have been released 10th October 2023 for Citrix ADC/Access Gateway versions
Citrix strongly recommends that customers on these versions install these updates immediately.

Description of Problem

Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

• Netscaler ADC and Netscaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. 

CVE ID	Affected Products	Description	Pre-requisites	CWE	CVSS
CVE-2023-4966	NetScaler ADC, NetScaler Gateway	Sensitive information disclosure	Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server	CWE-119	9.4
CVE-2023-4967	NetScaler ADC, NetScaler Gateway	Denial of service	Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server	CWE-119	8.2

17th October 2023

Mandiant release blogpost for remediation for Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966

Mandiant update their CVE-2023-4966 guidance document to version 1.1 with additional commands to exectue post update

Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023. Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication (MFA) or other strong authentication requirements. These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, prior to the update being deployed, we have observed session hijacking where session data was stolen and
subsequently used by a threat actor.

18th October 2023

Bleepingcomputer release blogpost about CVE-2023-4966 including steps for fixing and mitigation

19th October 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-4966 to their Known Exploited Vulnerabilities (KEV) catalog. NVD – CVE-2023-4966 (nist.gov)

23th October 2023

Citrix release blogpost in more details about CVE-2023-4966 https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/

24th October 2023

Mandiant update their CVE-2023-4966 document to version 1.2 with an additional indicator with Detection section.

https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf

25th October 2023

Security firm Assetnote released an analysis, including a proof of concept, that demonstrates how to steal session tokens.

26th October 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated NVD – CVE-2023-4966 (nist.gov) with Citrix Bleed Session Token Leakage Proof Of Concept

NVD gives a 7.5 Score out of 10 for CVE-2023-4966

Why you should take CVE-2023-4966 serious

NIST GAVE THE CVE-2023-4966 A SCORE OF 7.5 OUT OF 10
Citrix GAVE THE CVE-2023-4966 A SCORE OF 9.4 OUT OF 10

Source:

Citrix Products affected

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: It is important to be aware that NetScaler ADC and NetScaler Gateway version 12.1 has reached the End Of Life (EOL) status. This implies that this version is not only vulnerable but also exposes customers to potential risks. It is highly recommended that customers swiftly upgrade to a supported version, such as 13.0, 13.1 or 14.1, to ensure a safer and more secure environment.

What should Customer do

Exploits of CVE-2023-4966 and CVE-2023-4967 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. 

• Netscaler ADC and NetScaler Gateway 14.1-8.50 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-49.15  and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0  
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  
• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  
• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 

NetScaler customers/partners should upgrade even the NetScalers that are not currently running AAA/GW. After the critical ones (NetScaler ADC running AAA/GW) have been patched, so that you do not unknowingly make yourself vulnerable down the road.

This is a critical patch from NetScaler and you should take the threat seriously and not wait as many customers/partner did back in 2019 (CVE-2019-19781) or with CVE-2023-3519 people waited until the public exploit came out.

Fix Timelines for firmware GA

Citrix have firmware updates in the form of refresh builds which are available across all supported versions of Netscaler ADC, Netscaler Gateway. Please refer to the table below for the expected release dates.

VPX/MPX/SDX – Customers with NetScaler ADC, NetScaler Gateway 12.1 & 13 & 13.1 & 14.1 can upgrade to latest 13.0 build 91.13 & 13.1 build 49.15 & 14.1 build 8.50 as security patch is GA.

FIPS VPX/MPX/SDX – Customers with NetScaler 12.1 & 13.1 can upgrade to latest 12.1-55.300 & 13.1-37.164
NDcPP VPX/MPX/SDX – Customer with NetScaler 12.1 can upgrade to latest 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

Netscaler ADC and Netscaler Gateway
Version	Refresh Build	Expected Release Date
14.1	14.1-8.50	26th September 2023 (released)
13.1	13.1-49.15	10th October 2023 (released)
13.0	13.0-92.19	10th October 2023 (released)

Netscaler ADC and Netscaler Gateway FIPS/NDcPP
Version	Refresh Build	Expected Release Date
13.1-FIPS	13.1-37.159	10th October 2023 (released)
12.1-FIPS	12.1-55.300	10th October 2023 (released)
12.1-NDcPP	12.1-55.300	10th October 2023 (released)

Deep-dive insights about CVE-2023-4966 and CVE-2023-4967

Assetnote have presented their analysis of the CVE-2023-4966 vulnerability based on a reverse analysis of the patch under the title “Citrix Bleed”. https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

Mitigation Steps for CVE-2023-3519

upgrade NetScaler ADC/Gateway to latest firmware

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

After updating your NetScaler ADC/Gateway run following commands on each appliance:

f you are using any of the affected builds listed in the security bulletin, you should update  immediately by installing the recommended builds. In addition, we also recommend killing all active and persistent sessions using the following commands:

kill icaconnection -all

kill rdp connection -all

kill pcoipConnection -all

kill aaa session -all

clear lb persistentSessions

Check if you are compromised*:

Detection

If web application firewalls or other platforms that capture URL requests are deployed
in front of NetScaler device(s), review available logs for an abnormal amount of web
requests originating from suspicious IP addresses.

• If web application firewalls or other platform that capture URL requests are deployed
  in front of the NetScaler device(s), review for abnormal requests to the following URL
  path:
  
  oauth/idp/.well-known/openid-configuration
  
  Note: This is a valid NetScaler URL path for retrieving information about configured
  OAuth IDP endpoints. Detection of suspicious requests will need to be baselined
  against historical expected connections to the URL path.

If you suspect you are compromised, take action:

Below is 2 solutions. Some like to reimage a VPX from scratch while others like to use their backup solution, so I have provided both solutions here.

Solution 1: reimage

1. If compromised from above STEP do following:
2. Remove your NetScaler ADC/Gateway from network
3. Create support ticket at NetScaler support
4. Take a snapshot of potential vulnerable NetScaler ADC VPX for forensic analysis and further investigation
5. Re-Image the NetScaler ADC (both in HA*) and re-import config
   its a slow process for MPX as you have to go through Citrix techsupport and might even need to get a new HDD with the clean image shipped
6. Investigate all servers the NetScaler ADC has a connection to for further compromise.
   This might include the typical Citrix candidates like Storefront, etc. as well as DCs for LDAP but might also include a huge bunch of web- and application servers in a true NetScaler ADC deployment
7. Change all NetScaler ADC local accounts passwords
   While stored hashed in the ns.conf those might be crackable
8. Change all NetScaler ADC AD service accounts passwords
   While stored encrypted in the ns.conf those might be crackable
9. Change all AD user account passwords that were using the NetScaler ADC to login
   All users? Yes, remember you are able to take wireshark traces on NetScaler ADC including SSL session keys which can then be used to decrypt the whole communications – including user login credentials
10. Revoke and renew all SSL certificates (private/public)
    Private keys might have been downloaded. While private key passwords are stored encrypted in the ns.conf those might be crackable
11. Upgrade to latest NetScaler ADC/AG build.
    Special note:
    if NetScaler ADC/AG 14.1 upgrade to build 14.1-8.50, to install the security vulnerability fixes
    if NetScaler ADC/AG 13.1 upgrade to build 13.1-49.15, to install the security vulnerability fixes
    if NetScaler ADC/AG 13.0 upgrade to build 13.0-92.19,  to install the security vulnerability fixes
    if NetScaler ADC/AG FIPS 13.1 upgrade to build 13.1-37.164, to install the security vulnerability fixes
    if NetScaler ADC/AG FIPS 12.1 upgrade to build 12.1-55.300 to install the security vulnerability fixes
    if NetScaler ADC/AG NDcPP 12.1 upgrade to build 12.1-55.300, to install the security vulnerability fixes
12. Run following commands on all upgraded appliances:
    kill icaconnection -all
    kill rdp connection -all
    kill pcoipConnection -all
    kill aaa session -all
    clear lb persistentSessions
13. Enhance security and implement Citrix ADM from Citrix Cloud or On-prem.
14. Run diagnostic and upload to cis.citrix.com to check if have recommendations from citrix to enhance
15. Harden your NetScaler ADC/AG
    Example use this Best practices for NetScaler MPX, VPX, and SDX security guide from NetScaler
16. Enable NetScaler ADC on internet
17. Check for vulnerability see above
18. Inform your country cyber security you have been compromised and take steps according to either GPDR or your data law in your country.

CISA/Citrix recommendations

Cloud Software Group – Citrix
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

CISA
NVD – CVE-2023-4966 (nist.gov)

Mandiant remediation document for CVE-2023-4966
https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf

Community recommendations

Source

Sign up security alerts:

https://login.citrix.com/?url=https://support.citrix.com/user/alerts