Frequently Asked Questions for CitrixBleed (CVE-2023-4966)

Frequently asked questions relating to a critical vulnerability in Citrix NetScaler that has been under active exploitation for over a month, including by ransomware groups.

Background

The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding a critical vulnerability known as CitrixBleed.

FAQ

What is CitrixBleed?

CitrixBleed (or “Citrix Bleed”) is a name given to a critical vulnerability in Citrix NetScaler ADC and Gateway. Researchers at Assetnote are credited with naming this vulnerability. A logo for CitrixBleed was created by security researcher Kevin Beaumont.

When was this vulnerability first disclosed?

On October 10, Citrix published its security bulletin, identified as CTX579459, detailing this vulnerability along with a separate flaw.

What are the CVE details for the vulnerabilities patched on October 10?

As part of CTX579459, Citrix patched two vulnerabilities, CVE-2023-4966, also known as CitrixBleed, along with a denial of service (DoS) vulnerability:

We published a blog post for both vulnerabilities on October 18.

What makes CitrixBleed so severe?

CitrixBleed is e​​xtremely simple to exploit and the consequences of exploitation make this vulnerability severe. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable endpoint on a NetScaler ADC or Gateway instance.

By exploiting CitrixBleed, an attacker could obtain valid session tokens from the vulnerable device’s memory. With the possession of valid session tokens, an attacker can replay them back in order to bypass authentication.

Was this exploited as a zero-day?

Yes, according to researchers at Mandiant, they were able to find evidence of zero-day exploitation back in August.

Has in-the-wild exploitation been observed since this vulnerability became public?

Yes, Citrix, our partners at GreyNoise and Kevin Beaumont have all observed in-the-wild exploitation of this vulnerability since at least October 23.

Which threat actors are exploiting CitrixBleed?

As of November 20, there are multiple threat actors exploiting CitrixBleed:

This is not an exhaustive list and specific details about the uncategorized groups are not yet known at this time.

Who are LockBit 3.0 and Medusa and what are their motivations?

LockBit 3.0 and Medusa are two active ransomware groups that have been observed exploiting CitrixBleed as part of attacks against organizations.

Typically, ransomware groups conduct what is known as double extortion, whereby they encrypt files on systems within a network while simultaneously stealing sensitive information from these networks and threatening to leak this stolen data on the dark web if a ransom demand is not paid.

Double extortion attacks are what have fueled the success of ransomware over the years. However, over the last year, ransomware groups are choosing to bypass the encryption stage of their attacks, focusing solely on exfiltration and threaten to publish the stolen information. Ultimately, the motivation of these attackers are not to disrupt operations, but instead to profit from these attacks.

Are the ransomware groups themselves launching these attacks?

No, the groups themselves are often not the ones behind the attacks. They are responsible for developing and providing the ransomware and infrastructure to individuals known as affiliates. Affiliates partner with ransomware groups to conduct the attacks, steal sensitive information and distribute the ransomware payloads within a network. For their efforts, affiliates receive a large portion of the ransomware payout.

On November 21, a joint cybersecurity advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC) and Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC) was published which includes insights into a real-world attack conducted by affiliates of LockBit 3.0 against Boeing using CitrixBleed.

For more information about affiliates and ransomware groups, please check out our report on The Ransomware Ecosystem.

Are there any specific industries being targeted by this vulnerability?

Public reporting suggests that this vulnerability is currently being used to target organizations across multiple industries across the world including finance, government organizations, technology, professional services, legal, freight and defense.

Do we know how many vulnerable NetScaler ADC and Gateway instances there are?

There have been two different reports highlighting vulnerable NetScaler ADC and Gateway instances accessible on the internet. BleepingComputer cited a security researcher named Yutaka Sejiyama, who says there were 10,400 Citrix servers vulnerable to CitrixBleed as of November 14 while Kevin Beaumont said that there are around 5,000 unpatched servers online as of November 7.

Is there a proof-of-concept (PoC) available for this vulnerability?

Yes, researchers at Assetnote published a PoC for this vulnerability on October 23.

Are patches available for CitrixBleed?

Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:

Version 12.1 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.

If I’ve patched CitrixBleed already, is my network safe?

Because CitrixBleed allows an attacker to steal valid session tokens, these session tokens can be replayed against the system irrespective of the patching status. So long as these stolen session tokens persist and are in the possession of an attacker, they can be reused.

Additionally, Kevin Beaumont notes that ransomware groups like LockBit are maintaining access to compromised networks by installing remote access tools like Atera, a remote monitoring & management (RMM) tool.

Whether patches have been applied or not, organizations that use NetScaler ADC and Gateway should assume compromise and begin an incident response investigation.

How do we stop attackers from leveraging stolen session tokens?

As outlined in this Citrix blog, once the available patches have been applied, there are a set of commands that can be run to kill active and persistent sessions, thereby thwarting attackers ability to replay the valid session tokens back even if a system has been patched. This advice was reiterated again in a follow-up blog published by Citrix on November 21.

Has Tenable released any product coverage for CitrixBleed?

Yes, please refer to the Identifying Affected Systems section below for more information.

Timeline

Identifying affected systems

The following plugins for CVE-2023-4966 and CVE-2023-4967 are available. Customers are advised to use these plugins to identify vulnerable assets.

Get more information

• Tenable Blog Post for CVE-2023-4966 ("Citrix Bleed")
• CTX579459: Citrix Security Bulletin for CVE-2023-4966, CVE-2023-4967
• Assetnote Blog: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
• Mandiant Blog: Zero-Day Exploitation of CitrixBleed
• NetScaler Cloud Software Group Blog Post on CVE-2023-4966
• Greynoise Blog: Widespread Attacks Using CVE-2023-4966
• Kevin Beaumont Blog: Mass Exploitation of CitrixBleed including Ransomware Group
• Mandiant Blog: Investigation of Session Hijacking via CVE-2023-4966
• Kevin Beaumont: LockBit Strike Team and CitrixBleed
• BleepingComputer: LockBit Exploits Citrix Bleed, 10K Servers Exposed

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.