Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Frequently Asked Questions for CitrixBleed (CVE-2023-4966)

A logo for Tenable Research at the top of the image, with the words 'Advisory' in a rectangular orange box underneath the logo. Underneath the rectangular box are the words "Frequently Asked Questions" as the text is on top of a blue gradient background.

Frequently asked questions relating to a critical vulnerability in Citrix NetScaler that has been under active exploitation for over a month, including by ransomware groups.

Update November 22: This FAQ blog has been updated to note the availability of a direct check plugin.

View Change Log

Background

The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding a critical vulnerability known as CitrixBleed.

FAQ

What is CitrixBleed?

CitrixBleed (or “Citrix Bleed”) is a name given to a critical vulnerability in Citrix NetScaler ADC and Gateway. Researchers at Assetnote are credited with naming this vulnerability. A logo for CitrixBleed was created by security researcher Kevin Beaumont.


When was this vulnerability first disclosed?

On October 10, Citrix published its security bulletin, identified as CTX579459, detailing this vulnerability along with a separate flaw.

What are the CVE details for the vulnerabilities patched on October 10?

As part of CTX579459, Citrix patched two vulnerabilities, CVE-2023-4966, also known as CitrixBleed, along with a denial of service (DoS) vulnerability:

CVEDescriptionCVSSv3Severity
CVE-2023-4966Citrix NetScaler ADC and Gateway Sensitive Information Disclosure Vulnerability (“CitrixBleed”)9.4Critical
CVE-2023-4967Citrix NetScaler ADC and Gateway DoS Vulnerability8.2High

We published a blog post for both vulnerabilities on October 18.

What makes CitrixBleed so severe?

CitrixBleed is e​​xtremely simple to exploit and the consequences of exploitation make this vulnerability severe. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable endpoint on a NetScaler ADC or Gateway instance.

By exploiting CitrixBleed, an attacker could obtain valid session tokens from the vulnerable device’s memory. With the possession of valid session tokens, an attacker can replay them back in order to bypass authentication.

Was this exploited as a zero-day?

Yes, according to researchers at Mandiant, they were able to find evidence of zero-day exploitation back in August.

Has in-the-wild exploitation been observed since this vulnerability became public?

Yes, Citrix, our partners at GreyNoise and Kevin Beaumont have all observed in-the-wild exploitation of this vulnerability since at least October 23.

Which threat actors are exploiting CitrixBleed?

As of November 20, there are multiple threat actors exploiting CitrixBleed:

Threat Group/Actor NameTypeSource
LockBit 3.0RansomwareKevin Beaumont
MedusaRansomwareKevin Beaumont
Uncategorized Group #1UnknownMandiant
Uncategorized Group #2UnknownMandiant
Uncategorized Group #3UnknownMandiant
Uncategorized Group #4UnknownMandiant

This is not an exhaustive list and specific details about the uncategorized groups are not yet known at this time.

Who are LockBit 3.0 and Medusa and what are their motivations?

LockBit 3.0 and Medusa are two active ransomware groups that have been observed exploiting CitrixBleed as part of attacks against organizations.

Typically, ransomware groups conduct what is known as double extortion, whereby they encrypt files on systems within a network while simultaneously stealing sensitive information from these networks and threatening to leak this stolen data on the dark web if a ransom demand is not paid.

Double extortion attacks are what have fueled the success of ransomware over the years. However, over the last year, ransomware groups are choosing to bypass the encryption stage of their attacks, focusing solely on exfiltration and threaten to publish the stolen information. Ultimately, the motivation of these attackers are not to disrupt operations, but instead to profit from these attacks.

Are the ransomware groups themselves launching these attacks?

No, the groups themselves are often not the ones behind the attacks. They are responsible for developing and providing the ransomware and infrastructure to individuals known as affiliates. Affiliates partner with ransomware groups to conduct the attacks, steal sensitive information and distribute the ransomware payloads within a network. For their efforts, affiliates receive a large portion of the ransomware payout.

On November 21, a joint cybersecurity advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC) and Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC) was published which includes insights into a real-world attack conducted by affiliates of LockBit 3.0 against Boeing using CitrixBleed.

For more information about affiliates and ransomware groups, please check out our report on The Ransomware Ecosystem.

Are there any specific industries being targeted by this vulnerability?

Public reporting suggests that this vulnerability is currently being used to target organizations across multiple industries across the world including finance, government organizations, technology, professional services, legal, freight and defense.

Do we know how many vulnerable NetScaler ADC and Gateway instances there are?

There have been two different reports highlighting vulnerable NetScaler ADC and Gateway instances accessible on the internet. BleepingComputer cited a security researcher named Yutaka Sejiyama, who says there were 10,400 Citrix servers vulnerable to CitrixBleed as of November 14 while Kevin Beaumont said that there are around 5,000 unpatched servers online as of November 7.

Is there a proof-of-concept (PoC) available for this vulnerability?

Yes, researchers at Assetnote published a PoC for this vulnerability on October 23.

Are patches available for CitrixBleed?

Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:

Affected ProductAffected VersionFixed Version
NetScaler ADC and NetScaler GatewayPrior to 13.0-92.1913.0-92.19 and later releases of 13.0
Prior to 13.1-49.1513.1-49.15 and later releases of 13.1
Prior to 14.1-8.5014.1-8.50 and later releases
NetScaler ADC 12.1-NDcPPPrior to 12.1-55.30012.1-55.300 and later releases of 12.1-NDcPP
NetScaler ADC 12.1-FIPSPrior to 12.1-55.30012.1-55.300 and later releases of 12.1-FIPS
NetScaler ADC 13.1-FIPSPrior to 13.1-37.16413.1-37.164 and later releases of 13.1-FIPS

Version 12.1 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.

If I’ve patched CitrixBleed already, is my network safe?

Because CitrixBleed allows an attacker to steal valid session tokens, these session tokens can be replayed against the system irrespective of the patching status. So long as these stolen session tokens persist and are in the possession of an attacker, they can be reused.

Additionally, Kevin Beaumont notes that ransomware groups like LockBit are maintaining access to compromised networks by installing remote access tools like Atera, a remote monitoring & management (RMM) tool.

Whether patches have been applied or not, organizations that use NetScaler ADC and Gateway should assume compromise and begin an incident response investigation.

How do we stop attackers from leveraging stolen session tokens?

As outlined in this Citrix blog, once the available patches have been applied, there are a set of commands that can be run to kill active and persistent sessions, thereby thwarting attackers ability to replay the valid session tokens back even if a system has been patched. This advice was reiterated again in a follow-up blog published by Citrix on November 21.

Has Tenable released any product coverage for CitrixBleed?

Yes, please refer to the Identifying Affected Systems section below for more information.

Timeline

DateDetailsMilestone
August 2023On October 17, researchers at Mandiant looked back and found evidence of exploitation of a Citrix NetScaler zero-dayZero-Day Exploitation
October 10, 2023Citrix publishes security bulletin CTX579459 to address two vulnerabilities in NetScaler ADC and Gateway including CVE-2023-4966Public Disclosure
October 17, 2023Mandiant publishes its blog post on the discovery of zero-day exploitation of CVE-2023-4966Historical Insight
October 23, 2023Researchers at GreyNoise add a tag for CVE-2023-4966 to track associated activityMonitoring for Exploitation
Assetnote publishes its proof-of-concept (PoC) to GitHubProof-of-Concept Published
October 24, 2023GreyNoise identifies first in-the-wild exploitation attempts for CVE-2023-49666Exploitation Detected
October 25, 2023Researchers at Assetnote publish a blog post naming the vulnerability “Citrix Bleed” and providing technical details and highlights its PoCNamed Vulnerability, Technical Details Shared
Researcher Kevin Beaumont says vulnerability is being “mass exploited in the wild for about a month” and highlights ease of exploitationAdditional Details, Confirmed Exploitation Activity
October 27, 2023Beaumont reiterates mass exploitation, publishes blog post that reveals that a ransomware group is leveraging it as part of attacksExploited by First Ransomware Group
October 28, 2023Over 20,000 NetScaler systems have been exploited according to BeaumontMass Exploitation Activity
November 11, 2023LockBit ransomware group is confirmed to be using CitrixBleed in attacks against a variety of industries including finance, freight, legal and defenseWidespread Exploitation of Vulnerability by LockBit Affiliates
November 14, 2023A second ransomware group, Medusa, has also begun exploiting this vulnerability in attacksExploited by Second Ransomware Group
Security researcher Yutaka Sejiyama shared with BleepingComputer that over 10,400 Citrix servers are still vulnerable to CVE-2023-4966 with nearly a third (30%) in the United StatesUpdated Attack Surface
November 21, 2023A joint CSA from CISA, FBI, MS-ISAC and ASD's ACSC was published and includes insights into a real-world attack conducted by affiliates of the LockBit 3.0 against BoeingTactics, Techniques, and Procedures (TTPs) of Exploitation by LockBit 3.0 Ransomware Affiliates
Citrix publishes a follow-up blog including investigation recommendations and reiterates importance of following instructions to remove active or persistent sessionsAdditional Insights and Recommendations

Identifying affected systems

The following plugins for CVE-2023-4966 and CVE-2023-4967 are available. Customers are advised to use these plugins to identify vulnerable assets.

Plugin IDTitleType
183026NetScaler ADC and NetScaler Gateway Multiple Vulnerabilities (CTX579459)Version Check
186176Citrix ADC and Citrix NetScaler Gateway Information Disclosure (CTX579459)(Direct Check)Direct Check
114100Citrix Gateway / ADC Sensitive Information ExposureTenable Web App Scanning (formerly Tenable.io Web Application Scanning) Remote Check

Get more information

Change Log

Update November 22: This FAQ blog has been updated to note the availability of a direct check plugin.

Update November 21: This FAQ blog has been updated to include references to a joint cybersecurity advisory by several government agencies regarding exploitation of CitrixBleed by affiliates of LockBit 3.0 and a follow-up blog post from Citrix with investigation recommendations.

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.