Last updated at Fri, 27 Oct 2023 16:50:27 GMT

2023年10月10日,思杰 发表咨询意见 on two vulnerabilities affecting NetScaler ADC 和 NetScaler Gateway. The more critical of these two issues is CVE-2023-4966, a sensitive information disclosure vulnerability that allows an attacker to read large amounts of memory after the end of a buffer. 值得注意的是, that memory includes session tokens, which permits an attacker to impersonate another authenticated user. 10月17日, Citrix updated the 咨询 to indicate that they have observed exploitation in the wild. 美国.S. Cybersecurity 和 Infrastructure Security Agency (CISA) has also 添加cve - 2023 - 4966 to their Known Exploited Vulnerabilities (KEV) catalog.

On October 25, 2023, security firm Assetnote 发布分析, including a proof of concept, that demonstrates how to steal session tokens. 从此,Shadowserver has noted an uptick in scanning 对于那个端点. Rapid7 耐多药 is investigating potential exploitation of this vulnerability in a customer environment but is not yet able to confirm with high confidence that CVE-2023-4966 was the initial access vector.

Rapid7 recommends taking emergency action to mitigate CVE-2023-4966. 威胁的演员, 包括勒索软件组织, have historically shown strong interest in Citrix NetScaler ADC vulnerabilities. We expect exploitation to increase. 我们的研究团队 技术评估 of the vulnerability 和 its impact in AttackerKB.

受影响的产品

Citrix 发表博客 on October 23 that has exploitation 和 mitigation details. 他们的 咨询 indicates that CVE-2023-4966 affects the following supported versions of NetScaler ADC 和 NetScaler Gateway:

* NetScaler ADC 和 NetScaler Gateway 14.前1  14.1-8.50

* NetScaler ADC 和 NetScaler Gateway 13.前1  13.1-49.15

* NetScaler ADC 和 NetScaler Gateway 13.0 前13.0-92.19

* NetScaler ADC 13.1-FIPS前13.1-37.164

* NetScaler ADC 12.1-FIPS之前12.1-55.300

* NetScaler ADC 12.1-NDcPP前12.1-55.300

注意: NetScaler ADC 和 NetScaler Gateway version 12.1 is now End-of-Life (EOL) 和 is vulnerable.

为了被利用, the appliance must be configured as a Gateway (VPN virtual server, ICA代理, CVPN, RDP Proxy) OR AAA virtual server (which is a very common configuration). Citrix has indicated that customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

缓解指导

Citrix NetScaler ADC 和 Gateway users should update to a fixed version immediately, without waiting for a typical patch cycle to occur. 此外,Citrix的 关于CVE-2023-4966的博客 recommends killing all active 和 persistent sessions using the following comm和s:

杀死所有连接

终止RDP连接-all

kill pcoipConnection -all

取消aaa级会话

清除lb persistentSessions

For more information, see Citrix’s 咨询.

Rapid7客户

InsightVM 和 Nexpose customers can assess their exposure to both of the CVEs in Citrix’s 咨询 (CVE-2023-4966, CVE-2023-4967) with authenticated vulnerability checks available in the October 23 content release.