Security researchers at AssetNote uncovered an easily exploitable authentication bypass vulnerability when investigating Citrix patch updates related to “unauthenticated buffer-related vulnerabilities” previously reported in a Citrix security bulletin. Through a process called “patch diffing”, AssetNote was able to create a proof of concept exploit that bypassed authentication, including MFA, on unpatched systems.
As noted by Citrix in their official security bulletin:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Note: NetScaler ADC and NetScaler Gateway version 12.1 have reached end-of-life and are vulnerable.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway (VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as an AAA virtual server (traditional load balancing configurations, for example) and related products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.
How Bad is This?
If exploited, this vulnerability leaks the content of system memory to the attacker. Memory leaked in this way may contain a valid Netscaler AAA session cookie belonging to a valid, authenticated user. Using this stolen session cookie, an attacker could impersonate a user and establish a fully authenticated session with the appliance without providing a username or password. It’s important to note that this session cookie is issued post-authentication which means that MFA checks are satisfied and will not prevent an attacker from gaining access.
Confirmed malicious activity following successful exploitation and authentication include typical post-exploitation tactics, techniques, and procedures (TTPs) such as the following:
- Host and network reconnaissance
- Credential harvesting
- LSASS dumps
- Lateral movement via RDP
- Usage of specific tools and Windows utilities
- SoftPerfect network scanner (netscan.exe)
- Deployment of RMM tools for persistence
What Should I Do?
If you are running an affected version, Citrix urges administrators to apply updates immediately. Following successful patching, Citrix has also recommended ending all active and persistent sessions. This can be accomplished using the following commands:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
Tracking and identifying evidence of exploitation is difficult as Citrix appliance logs don’t appear to provide any hints or artifacts of successful exploitation. Mandiant has provided a solid list to help scope your investigation:
- Reviewing NetScaler appliances for evidence of backdoors or web shells.
- Mandiant has provided a tool to help identify such evidence.
- Identifying suspicious logins / lateral movement originating from published systems or resources accessible through the NetScaler appliances.
- Correlating authentication and login events (e.g., VDI systems published through NetScaler appliances) sourced from geographic locations that are not part of an established baseline.
- Correlating authentication and login events where a successful MFA challenge/response was not logged.
Considering the lack of logging artifacts of exploitation on the Citrix Appliances themselves, it may be helpful to review the logs from network firewalls or web application firewalls that are deployed in front of the NetScaler appliance. Most notably, monitoring traffic to these appliances from suspicious or unusual IP addresses and abnormal requests to the Citrix Appliance URL oauth/idp/.well-known/openid-configuration.
GreyNoise is tracking suspicious IPs under the tag “Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Attempt”. It should be noted that these are just IP addresses caught scanning for the vulnerability. Seeing these in your logs should not be considered a confirmation of a targeted attack or attempted exploitation.
New Blumira detections specifically created in response to this emerging threat:
|Detection||Enabled||SoftPerfect Network Scanner||Identifies processes running that are associated with the network scanning tool “Network Scanner” by SoftPerfect.|
|Detection||Disabled||Citrix Netscaler: Multiple SSLVPN Users from Same IP||Identifies when multiple users are using Netscaler SSLVPN from the same IP address as advised by Mandiant.|
|Detection||Disabled||Citrix Netscaler: SSLVPN Mismatched Client IP and Source IP||Identifies when an SSLVPN session has a mismatched client IP and source IP which may indicate session hijacking, as advised by Mandiant.|
|Detection||Disabled||Citrix Netscaler: SSLVPN Authentication Outside of US||Identifies when a user SSLVPN authentication occurs outside of the United States.|
|Report||N/A||Citrix Netscaler: SSLVPN Activity by Country||Presents SSLVPN activity grouped by country. This report should help quickly and easily identify any suspicious or unexpected activity.|
|Report||N/A||Citrix Netscaler: All SSLVPN Logins||Surfaces all logs related to user SSLVPN authentication.|
How Blumira Can Help
Blumira detections specific to this exploit:
- Reconnaissance via Net Commands
- Discovery Commands Issued from Unusual Process
- Windows Firewall: Potential RDP Scanning Activity
- Certutil Download
- Mimikatz Process Creation or Command Run
- Mimikatz File Creation Artifacts
- LSASS read with Pypykatz
- Indicator: Password Dumper Remote Thread in LSASS
- Dump LSASS.exe Memory using ProcDump
- Dump LSASS.exe Memory using comsvcs.dll
- Dump LSASS.exe Memory using Windows Task Manager
- Remote Access Tool: Atera
- Remote Access Tool: Splashtop
- Remote Access Tool: AnyDesk
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real-time to protect your environment. Blumira is actively working on a detection for QueueJumper for its customers.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.