Mandiant: Citrix zero-day actively exploited since August

Mandiant warned that a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway has been actively exploited since August, and mitigation requires additional actions beyond patching.

Last week, Citrix addressed two unauthenticated buffer-related vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967, that affected multiple versions of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Citrix urged users to upgrade to the latest versions "as soon as possible," but the threat has only increased since the initial security bulletin was published.

In a blog post Tuesday, Mandiant disclosed that it observed zero-day exploitation of CVE-2023-4966 beginning in late August against technology and government organizations. More alarmingly, threat actors exhibited multifactor authentication (MFA) bypass techniques that will require enterprises to take additional actions to defend beyond patching.

Mandiant said successful exploitation of CVE-2023-4966, a sensitive information disclosure flaw that received a CVSS score of 9.4, could allow attackers to "hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements." Identity-based attacks that bypass MFA protocols have been on the rise, and many have been successful, including ones against Las Vegas casinos last month.

"These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed," Mandiant wrote in the blog post. "Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor. The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted."

Mandiant emphasized that an attacker could then harvest credentials or gain access to additional resources within a victim environment. Citrix updated its initial security bulletin Tuesday with the active exploitation warning.

Separately, Mandiant CTO Charles Carmakal addressed the ongoing threat in a statement on LinkedIn. While CVE-2023-4966 is not a remote code execution vulnerability, Carmakal urged users to prioritize patching "given the active exploitation and vulnerability criticality." He also provided additional mitigation steps to defend against potential MFA bypass attacks.

"Organizations need to do more than just apply the patch -- they should also terminate all active sessions. These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated," Carmakal wrote.

Attribution is unknown, but Carmakal said Mandiant is assessing potential cyberespionage motives. However, he warned that the flaw might attract additional attackers as well. "We anticipate other threat actors with financial motivations will exploit this over time," he said.

It's unclear how CVE-2023-4966 was initially discovered. Citrix's advisory does not credit any party for reporting the vulnerability. Citrix did not respond to requests for comment at press time.

Update 10/18: A spokesperson for Mandiant-Google Cloud sent the following statement from Carmakal to TechTarget Editorial: "We observed exploitation that occurred in late August 2023 (that's the earliest confirmed evidence of compromise observed to date). We only discovered that intrusion activity for an incident response client this week. We were not involved in the initial discovery of this CVE."

Update 10/19: A Citrix spokesperson emailed the following statement to TechTarget Editorial: "When the vulnerability was made public with a patch October 10, there was no indication from our customers or industry partners that an exploit existed in the wild. The vulnerability was identified internally."

This is the second time in three months that Citrix NetScaler ADC and NetScaler Gateway were targeted. In July, Citrix warned that an unauthenticated remote code execution vulnerability with a CVSS of 9.8, tracked as CVE-2023-3519, was being exploited in the wild against unmitigated ADC and Gateway products. It was one of three vulnerabilities addressed in a July security bulletin that also noted NetScaler ADC and NetScaler Gateway version 12.1 were considered end of life (EOL). As with patching vulnerabilities, enterprises are often slow to retire legacy and EOL products, which could present additional problems.

Arielle Waldman is a Boston-based reporter covering enterprise security news.