What is Citrix Bleed and should you be worried?
A critical buffer over-read can expose sensitive information in affected devices
Citrix has urged its customers to apply a security update that addresses a critical buffer flaw affecting its network devices, which would have allowed hackers to expose information and escalate attacks.
The vulnerability, known as Citrix Bleed, was first identified by the firm on 10 October in a security bulletin and tracked as CVE-2023-4966. At the time, the firm stated that attackers could use the flaw to steal sensitive information through Citrix devices.
It released a patch for the vulnerability to coincide with the post and notified customers and channel partners of the issue directly, but did not elaborate on the attack chain or provide further technical details.
On the National Institute of Standards and Technology’s (NIST) national vulnerability database, CVE-2023-4966 was awarded a CVSS rating of 7.5 which equates to ‘high’ severity. However, Citrix itself has branded the flaw ‘critical’.
NetScaler gateways are used for single sign-on (SSO) and play a key role across a large number of organizations including Fortune 500 firms.
“The Citrix Netscaler gateways are often used to manage remote access, including in the running of critical national infrastructure,” said Andy Hornegold, VP product at Intruder.
“This vulnerability looks like it only impacts on-premise instances as opposed to cloud-managed, so I’d expect it to impact organizations that typically run resources on-prem instead of favoring cloud-hosted tech.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Earlier in October, Mandiant revealed it had seen evidence of CVE-2023-4966 being exploited in the wild since the end of August.
The security firm warned the flaw could be used to bypass multi-factor authentication (MFA) and hijack authenticated sessions, enabling threat actors to perform further attacks and exfiltrate sensitive data.
“The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted,” researchers wrote.
“A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment.”
How do attackers exploit Citrix Bleed?
Though few technical details were known at the time of the bulletin, researchers from security firm Assetnote have since published a proof-of-concept for the vulnerability and posted a script to GitHub for others to replicate their results.
Assetnote conducted analysis on 13.1-48.47 and 13-49.15 to compare which functions Citrix had changed through the patch. They discovered two standout functions had been changed, ‘ns_aaa_oauth_send_openid_config’ and ‘ns_aaa_oauthrp_send_openid_config’, which are used for OpenID Connect Discovery through which identity information is checked and sent.
In this case, the functions were combined with the ‘snprintf’ function to create a JSON payload containing the user’s device hostname. Prior to the patch, this was performed near instantaneously, but post-patch the function was found to only send responses with a value of less than 20,000 bytes.
Values in excess of this would cause a buffer overflow containing data from memory, such as a session token.
Discover the complexity of today’s VPN management and their vulnerabilities to diverse cyberattacks
The researchers found that the data inserted into the payload was drawn from the header for the HTTP ‘ost’, and that this was consistently inserted six times. Using this knowledge, they found that if they inserted a hostname of ‘a’ repeated 24,812 times using the unpatched version they received a response containing a 32-65 byte hex string- a session token.
Attackers could use the same methodology to draw session tokens and perform further malicious activity through the impersonation of authenticated users.
Which versions of Citrix are vulnerable and what can I do?
In its advisory, Citrix stated the following NetScaler Gateway and ADC versions are affected by the flaw, which cannot be mitigated:
- 14.1 before 14.1-8.50
- 13.1 before 13.1-49.15
- 13.0 before 13.0-92.19
Additionally, NetScaler ADC FIPS versions 13.1 before 13.1-37.164, 12.1 before 12.1-55.300, and 12.1-NDcPP before 12.1-55.300 are vulnerable to the flaw. Official Citrix advice is to update to new versions as soon as possible.
Citrix added that those on NetScaler Gateway and ADC version 12.1 should upgrade their license as this version has reached end-of-life (EOL) and will receive no further support.
This is not the first high-profile flaw to be found in Citrix products this year.
In July, Citrix issued a warning to its NetScaler Gateway and ADC users over three new vulnerabilities: a remote code execution (RCE) flaw tracked as CVE-2023-3519, a cross-site scripting (XSS) flaw tracked as CVE-2023-3466, and a privilege escalation flaw tracked as CVE-2023-3467.
Another widespread campaign against Citrix users was uncovered in August by researchers at NCC Group and its subsidiary Fox-IT. They found that attackers had exploited CVE-2023-3519 to place web shells on vulnerable devices that persisted through subsequent patches and reboots.
At the time of publishing the report, the authors noted that 1,828 NetScaler products still contained backdoors and urged IT teams to seriously consider whether they had been compromised.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.