Three days ago, AssetNote posted an excellent write up about CitrixBleed aka CVE-2023–4966 in Citrix Netscaler/ADC/AAA/whatever it is called today.
This vulnerability is now under mass exploitation. A few weeks ago it was under limited targeted exploitation to allow network access. It’s not AssetNote’s fault — it was clear multiple groups had already obtained technical details.
The patch became available on October 10th. Even if you applied the patch and rebooted, you still have a problem as session token persist.
The vulnerability allows memory access. Sounds boring, right? That same memory contains session tokens, which an attacker can easily extract.
Those session tokens allow the bypass of needing login credentials and the bypass of all multi-factor authentication — an attacker can just replay the session key, and they’re in. You exploit the vulnerability by typing ‘aaaaaaaaaaaaaaaaaaaaaaaa’ a lot, which is at present my mood.
Greynoise have been tracking exploitation for a few weeks, here’s their most up to date data:
You can access all their tracked attacker IPs here: https://viz.greynoise.io/query?gnql=tags%3A%22Citrix%20ADC%20Netscaler%20CVE-2023-4966%20Information%20Disclosure%20Attempt%22
GreyNoise data is from honeypots, so people are just randomly owning anything to extract the session tokens.
From talking to multiple organisations, they are seeing widespread exploitation.
Who uses Citrix Netscaler anyway?!
Many tens of thousands of business run it. It is very, very common in enterprise and governments. If you think nobody runs this stuff, you probably also think everybody uses Linux on their laptop.
E.g. this is just one favicon version:
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: