As Citrix Urges Its Clients to Patch, Researchers Release an Exploit

As Citrix Urges Its Clients to Patch, Researchers Release an Exploit

A critical security update is now available for the latest high-profile Citrix NetScaler vulnerability. But so is an exploit. And in some cases, the latter may be simpler to use than the former.

It’s been a busy week so far for Citrix customers. On Sept. 23, following reports of active exploitation in the wild, the company released an urgent update for CVE-2023-4966, a sensitive information disclosure vulnerability in its NetScaler application delivery controller (ADC) and Gateway products. The vulnerability was assigned a “High” 7.5 out of 10 CVSS rating by NIST, but a “Critical” 9.4 by Citrix itself.

Then on Sept. 24, researchers from Assetnote published a proof-of-concept (PoC) exploit to GitHub. The widely available exploit is, relative to the severe consequences it can wreak, remarkably simple.

“It’s a remote access solution in the vast majority of places and, as a result, it’s exposed to the Internet most of the time,” explains Andy Hornegold, VP of product at Intruder. “The risk is somebody will be able to exploit this vulnerability, read session tokens, connect to your device as one of your standard users, and then access your environment with those privileges.”

The New Citrix Exploit

Researchers from Assetnote discovered two related functions at the heart of CVE-2023-4966 — ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config — both responsible for implementing the OpenID Connect (OIDC) Discovery endpoint. OIDC is an open protocol used for authentication and authorization.

On an unpatched NetScaler device, an attacker could easily overload the buffer by sending a request exceeding 24,812 bytes. With a request hardly three lines long, the researchers discovered they could cause the device to leak memory.

“It feels like hacking back in 1999,” Hornegold says, only half-jokingly. “Back in the day it was, like, the default way of trying to carry out these kinds of attacks — to just stuff a whole load of ‘a’s into a packet and see what comes back.”

In this case, he explains, “I can send one request with a whole bunch of ‘a’s in one go, and then in the body of the response, it starts to expose session tokens for people who are logged in to that NetScaler device, which I can reuse to log in as those users.” By hijacking an authenticated session, a malicious actor could potentially bypass any checks, including multifactor authentication (MFA).

Why Patching Isn’t Enough

According to Citrix, its software is used by more than 400,000 organizations across the globe, including 98% of Fortune 500 companies. According to Enlyft, NetScaler in particular is used by nearly 84,000 companies, including brand names like eBay and Fujitsu.

NetScaler isn’t just popular. As Intruder noted in a Sept. 25 blog post, it’s popular most notably within critical industries, which often prefer to run infrastructure on-premises rather than in the cloud.

So while Citrix advised customers on Sept. 23 to patch as soon as possible, doing so won’t be equally easy for everyone. For organizations that require 24/7 uptime, “It’s a bit of a balancing act,” Hornegold says, “because you obviously need to keep that service live for as long as possible, especially when you’re talking about critical national infrastructure. Any downtime needs to be taken as part of a risk consideration.”

Regular businesses won’t be able to just patch and forget about it, either. As Mandiant pointed out last week, hijacked sessions could persist even through patches, so organizations have to take the extra step of terminating all active sessions.

And even that may not be enough. Mandiant observed threat actors exploiting CVE-2023-4966 as early as August, leaving a healthy window of time for further post-exploitation persistence and downstream access.

“There’s a whole two months of opportunity there,” Hornegold points out. “So if the question is ‘what is the worst that could happen if you don’t patch this?’ —realistically, the worst may well have happened already.”