Frequently Asked Questions for CitrixBleed (CVE-2023-4966)
Frequently asked questions relating to a critical vulnerability in Citrix NetScaler that has been under active exploitation for over a month, including by ransomware groups.
Update November 22: This FAQ blog has been updated to note the availability of a direct check plugin.
Background
The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding a critical vulnerability known as CitrixBleed.
FAQ
What is CitrixBleed?
CitrixBleed (or “Citrix Bleed”) is a name given to a critical vulnerability in Citrix NetScaler ADC and Gateway. Researchers at Assetnote are credited with naming this vulnerability. A logo for CitrixBleed was created by security researcher Kevin Beaumont.
When was this vulnerability first disclosed?
On October 10, Citrix published its security bulletin, identified as CTX579459, detailing this vulnerability along with a separate flaw.
What are the CVE details for the vulnerabilities patched on October 10?
As part of CTX579459, Citrix patched two vulnerabilities, CVE-2023-4966, also known as CitrixBleed, along with a denial of service (DoS) vulnerability:
CVE | Description | CVSSv3 | Severity |
---|---|---|---|
CVE-2023-4966 | Citrix NetScaler ADC and Gateway Sensitive Information Disclosure Vulnerability (“CitrixBleed”) | 9.4 | Critical |
CVE-2023-4967 | Citrix NetScaler ADC and Gateway DoS Vulnerability | 8.2 | High |
We published a blog post for both vulnerabilities on October 18.
What makes CitrixBleed so severe?
CitrixBleed is extremely simple to exploit and the consequences of exploitation make this vulnerability severe. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable endpoint on a NetScaler ADC or Gateway instance.
By exploiting CitrixBleed, an attacker could obtain valid session tokens from the vulnerable device’s memory. With the possession of valid session tokens, an attacker can replay them back in order to bypass authentication.
Was this exploited as a zero-day?
Yes, according to researchers at Mandiant, they were able to find evidence of zero-day exploitation back in August.
Has in-the-wild exploitation been observed since this vulnerability became public?
Yes, Citrix, our partners at GreyNoise and Kevin Beaumont have all observed in-the-wild exploitation of this vulnerability since at least October 23.
Which threat actors are exploiting CitrixBleed?
As of November 20, there are multiple threat actors exploiting CitrixBleed:
Threat Group/Actor Name | Type | Source |
---|---|---|
LockBit 3.0 | Ransomware | Kevin Beaumont |
Medusa | Ransomware | Kevin Beaumont |
Uncategorized Group #1 | Unknown | Mandiant |
Uncategorized Group #2 | Unknown | Mandiant |
Uncategorized Group #3 | Unknown | Mandiant |
Uncategorized Group #4 | Unknown | Mandiant |
This is not an exhaustive list and specific details about the uncategorized groups are not yet known at this time.
Who are LockBit 3.0 and Medusa and what are their motivations?
LockBit 3.0 and Medusa are two active ransomware groups that have been observed exploiting CitrixBleed as part of attacks against organizations.
Typically, ransomware groups conduct what is known as double extortion, whereby they encrypt files on systems within a network while simultaneously stealing sensitive information from these networks and threatening to leak this stolen data on the dark web if a ransom demand is not paid.
Double extortion attacks are what have fueled the success of ransomware over the years. However, over the last year, ransomware groups are choosing to bypass the encryption stage of their attacks, focusing solely on exfiltration and threaten to publish the stolen information. Ultimately, the motivation of these attackers are not to disrupt operations, but instead to profit from these attacks.
Are the ransomware groups themselves launching these attacks?
No, the groups themselves are often not the ones behind the attacks. They are responsible for developing and providing the ransomware and infrastructure to individuals known as affiliates. Affiliates partner with ransomware groups to conduct the attacks, steal sensitive information and distribute the ransomware payloads within a network. For their efforts, affiliates receive a large portion of the ransomware payout.
On November 21, a joint cybersecurity advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC) and Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC) was published which includes insights into a real-world attack conducted by affiliates of LockBit 3.0 against Boeing using CitrixBleed.
For more information about affiliates and ransomware groups, please check out our report on The Ransomware Ecosystem.
Are there any specific industries being targeted by this vulnerability?
Public reporting suggests that this vulnerability is currently being used to target organizations across multiple industries across the world including finance, government organizations, technology, professional services, legal, freight and defense.
Do we know how many vulnerable NetScaler ADC and Gateway instances there are?
There have been two different reports highlighting vulnerable NetScaler ADC and Gateway instances accessible on the internet. BleepingComputer cited a security researcher named Yutaka Sejiyama, who says there were 10,400 Citrix servers vulnerable to CitrixBleed as of November 14 while Kevin Beaumont said that there are around 5,000 unpatched servers online as of November 7.
Is there a proof-of-concept (PoC) available for this vulnerability?
Yes, researchers at Assetnote published a PoC for this vulnerability on October 23.
Are patches available for CitrixBleed?
Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:
Affected Product | Affected Version | Fixed Version |
---|---|---|
NetScaler ADC and NetScaler Gateway | Prior to 13.0-92.19 | 13.0-92.19 and later releases of 13.0 |
Prior to 13.1-49.15 | 13.1-49.15 and later releases of 13.1 | |
Prior to 14.1-8.50 | 14.1-8.50 and later releases | |
NetScaler ADC 12.1-NDcPP | Prior to 12.1-55.300 | 12.1-55.300 and later releases of 12.1-NDcPP |
NetScaler ADC 12.1-FIPS | Prior to 12.1-55.300 | 12.1-55.300 and later releases of 12.1-FIPS |
NetScaler ADC 13.1-FIPS | Prior to 13.1-37.164 | 13.1-37.164 and later releases of 13.1-FIPS |
Version 12.1 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.
If I’ve patched CitrixBleed already, is my network safe?
Because CitrixBleed allows an attacker to steal valid session tokens, these session tokens can be replayed against the system irrespective of the patching status. So long as these stolen session tokens persist and are in the possession of an attacker, they can be reused.
Additionally, Kevin Beaumont notes that ransomware groups like LockBit are maintaining access to compromised networks by installing remote access tools like Atera, a remote monitoring & management (RMM) tool.
Whether patches have been applied or not, organizations that use NetScaler ADC and Gateway should assume compromise and begin an incident response investigation.
How do we stop attackers from leveraging stolen session tokens?
As outlined in this Citrix blog, once the available patches have been applied, there are a set of commands that can be run to kill active and persistent sessions, thereby thwarting attackers ability to replay the valid session tokens back even if a system has been patched. This advice was reiterated again in a follow-up blog published by Citrix on November 21.
Has Tenable released any product coverage for CitrixBleed?
Yes, please refer to the Identifying Affected Systems section below for more information.
Timeline
Date | Details | Milestone |
---|---|---|
August 2023 | On October 17, researchers at Mandiant looked back and found evidence of exploitation of a Citrix NetScaler zero-day | Zero-Day Exploitation |
October 10, 2023 | Citrix publishes security bulletin CTX579459 to address two vulnerabilities in NetScaler ADC and Gateway including CVE-2023-4966 | Public Disclosure |
October 17, 2023 | Mandiant publishes its blog post on the discovery of zero-day exploitation of CVE-2023-4966 | Historical Insight |
October 23, 2023 | Researchers at GreyNoise add a tag for CVE-2023-4966 to track associated activity | Monitoring for Exploitation |
Assetnote publishes its proof-of-concept (PoC) to GitHub | Proof-of-Concept Published | |
October 24, 2023 | GreyNoise identifies first in-the-wild exploitation attempts for CVE-2023-49666 | Exploitation Detected |
October 25, 2023 | Researchers at Assetnote publish a blog post naming the vulnerability “Citrix Bleed” and providing technical details and highlights its PoC | Named Vulnerability, Technical Details Shared |
Researcher Kevin Beaumont says vulnerability is being “mass exploited in the wild for about a month” and highlights ease of exploitation | Additional Details, Confirmed Exploitation Activity | |
October 27, 2023 | Beaumont reiterates mass exploitation, publishes blog post that reveals that a ransomware group is leveraging it as part of attacks | Exploited by First Ransomware Group |
October 28, 2023 | Over 20,000 NetScaler systems have been exploited according to Beaumont | Mass Exploitation Activity |
November 11, 2023 | LockBit ransomware group is confirmed to be using CitrixBleed in attacks against a variety of industries including finance, freight, legal and defense | Widespread Exploitation of Vulnerability by LockBit Affiliates |
November 14, 2023 | A second ransomware group, Medusa, has also begun exploiting this vulnerability in attacks | Exploited by Second Ransomware Group |
Security researcher Yutaka Sejiyama shared with BleepingComputer that over 10,400 Citrix servers are still vulnerable to CVE-2023-4966 with nearly a third (30%) in the United States | Updated Attack Surface | |
November 21, 2023 | A joint CSA from CISA, FBI, MS-ISAC and ASD's ACSC was published and includes insights into a real-world attack conducted by affiliates of the LockBit 3.0 against Boeing | Tactics, Techniques, and Procedures (TTPs) of Exploitation by LockBit 3.0 Ransomware Affiliates |
Citrix publishes a follow-up blog including investigation recommendations and reiterates importance of following instructions to remove active or persistent sessions | Additional Insights and Recommendations |
Identifying affected systems
The following plugins for CVE-2023-4966 and CVE-2023-4967 are available. Customers are advised to use these plugins to identify vulnerable assets.
Plugin ID | Title | Type |
---|---|---|
183026 | NetScaler ADC and NetScaler Gateway Multiple Vulnerabilities (CTX579459) | Version Check |
186176 | Citrix ADC and Citrix NetScaler Gateway Information Disclosure (CTX579459)(Direct Check) | Direct Check |
114100 | Citrix Gateway / ADC Sensitive Information Exposure | Tenable Web App Scanning (formerly Tenable.io Web Application Scanning) Remote Check |
Get more information
- Tenable Blog Post for CVE-2023-4966 ("Citrix Bleed")
- CTX579459: Citrix Security Bulletin for CVE-2023-4966, CVE-2023-4967
- Assetnote Blog: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
- Mandiant Blog: Zero-Day Exploitation of CitrixBleed
- NetScaler Cloud Software Group Blog Post on CVE-2023-4966
- Greynoise Blog: Widespread Attacks Using CVE-2023-4966
- Kevin Beaumont Blog: Mass Exploitation of CitrixBleed including Ransomware Group
- Mandiant Blog: Investigation of Session Hijacking via CVE-2023-4966
- Kevin Beaumont: LockBit Strike Team and CitrixBleed
- BleepingComputer: LockBit Exploits Citrix Bleed, 10K Servers Exposed
Change Log
Update November 22: This FAQ blog has been updated to note the availability of a direct check plugin.
Update November 21: This FAQ blog has been updated to include references to a joint cybersecurity advisory by several government agencies regarding exploitation of CitrixBleed by affiliates of LockBit 3.0 and a follow-up blog post from Citrix with investigation recommendations.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management