Security researchers at AssetNote uncovered an easily exploitable authentication bypass vulnerability when investigating Citrix patch updates related to “unauthenticated buffer-related vulnerabilities” previously reported in a Citrix security bulletin. Through a process called “patch diffing”, AssetNote was able to create a proof of concept exploit that bypassed authentication, including MFA, on unpatched systems.
As noted by Citrix in their official security bulletin:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
Note: NetScaler ADC and NetScaler Gateway version 12.1 have reached end-of-life and are vulnerable.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway (VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as an AAA virtual server (traditional load balancing configurations, for example) and related products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.
If exploited, this vulnerability leaks the content of system memory to the attacker. Memory leaked in this way may contain a valid Netscaler AAA session cookie belonging to a valid, authenticated user. Using this stolen session cookie, an attacker could impersonate a user and establish a fully authenticated session with the appliance without providing a username or password. It’s important to note that this session cookie is issued post-authentication which means that MFA checks are satisfied and will not prevent an attacker from gaining access.
Confirmed malicious activity following successful exploitation and authentication include typical post-exploitation tactics, techniques, and procedures (TTPs) such as the following:
If you are running an affected version, Citrix urges administrators to apply updates immediately. Following successful patching, Citrix has also recommended ending all active and persistent sessions. This can be accomplished using the following commands:
Tracking and identifying evidence of exploitation is difficult as Citrix appliance logs don’t appear to provide any hints or artifacts of successful exploitation. Mandiant has provided a solid list to help scope your investigation:
Considering the lack of logging artifacts of exploitation on the Citrix Appliances themselves, it may be helpful to review the logs from network firewalls or web application firewalls that are deployed in front of the NetScaler appliance. Most notably, monitoring traffic to these appliances from suspicious or unusual IP addresses and abnormal requests to the Citrix Appliance URL oauth/idp/.well-known/openid-configuration.
GreyNoise is tracking suspicious IPs under the tag “Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Attempt”. It should be noted that these are just IP addresses caught scanning for the vulnerability. Seeing these in your logs should not be considered a confirmation of a targeted attack or attempted exploitation.
New Blumira detections specifically created in response to this emerging threat:
| Type | Default Status | Name | Description |
| Detection | Enabled | SoftPerfect Network Scanner | Identifies processes running that are associated with the network scanning tool “Network Scanner” by SoftPerfect. |
| Detection | Disabled | Citrix Netscaler: Multiple SSLVPN Users from Same IP | Identifies when multiple users are using Netscaler SSLVPN from the same IP address as advised by Mandiant. |
| Detection | Disabled | Citrix Netscaler: SSLVPN Mismatched Client IP and Source IP | Identifies when an SSLVPN session has a mismatched client IP and source IP which may indicate session hijacking, as advised by Mandiant. |
| Detection | Disabled | Citrix Netscaler: SSLVPN Authentication Outside of US | Identifies when a user SSLVPN authentication occurs outside of the United States. |
| Report | N/A | Citrix Netscaler: SSLVPN Activity by Country | Presents SSLVPN activity grouped by country. This report should help quickly and easily identify any suspicious or unexpected activity. |
| Report | N/A | Citrix Netscaler: All SSLVPN Logins | Surfaces all logs related to user SSLVPN authentication. |
Blumira detections specific to this exploit:
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real-time to protect your environment. Blumira is actively working on a detection for QueueJumper for its customers.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.