The vulnerabilities in Citrix NetScaler Gateway and NetScaler ADC cannot be fully resolved with the patches the company has released. It requires further steps, for which Mandiant has released a plan.
Recently, Citrix patched the very critical CVE-2023-4966 for NetScaler Gateway and NetScaler ADC. This vulnerability makes it possible to remotely intercept encrypted communications between devices without human intervention. This enables hackers to steal information or take over systems for further rogue actions.
The vulnerability has been actively abused since August this year.
Patch not sufficient
However, the released patch does not appear to be adequate, as indicated by security company Mandiant. Additional research shows that a successful breach allows malicious actors to hijack existing authentication sessions. To do so, they bypass multi-factor authentication and other stringent authentication requirements.
After applying the patch, however, these access opportunities may remain, Mandiant indicates. In addition, session hijacking may still occur because the session credentials needed to do so were previously stolen before the patch was applied and thus can still be abused.
Even more access possible
The authenticated session hijackings can then in turn lead to further “downstream” access based on obtained permissions. This in turn can lead to theft of more login credentials, lateral attacks and gaining access to more resources within the affected IT environment.
Mandiant has therefore released a complete additional roadmap for the CVE-2023-4966 vulnerability in Citrix solutions.