Companies are urgently addressing a critical security flaw in Citrix NetScaler ADC and NetScaler Gateway platforms, which are currently being exploited by attackers, as noted by the Cybersecurity and Infrastructure Security Agency (CISA).
The Cybersecurity and Infrastructure Security Agency (CISA) identified and issued guidance on a critical vulnerability affecting Citrix NetScaler ADC and Gateway platforms, designated as CVE-2023-4966 and colloquially known as Citrix Bleed.
Notably, the LockBit ransomware group appears to have leveraged CVE-2023-4966 to orchestrate a cyberattack on Boeing.
In response to verified reports of active exploitation by hacker groups, which put users at risk for session hijacking and other malicious cyber activities, CISA has taken swift action.
This vulnerability leaves users at risk of session hijacking and various other malicious activities.
The agency has escalated the issue by adding the vulnerability to its Known Exploited Vulnerabilities Catalog, urging companies to prioritize and expedite their remediation efforts to protect against potential threats.
CISA also updated its Known Exploited Vulnerabilities Catalog with a new entry, CVE-2023-29552, due to confirmed exploitation. This Service Location Protocol (SLP) vulnerability, which can lead to a denial-of-service attack, is commonly exploited by cyber adversaries and presents a serious risk to federal networks.
Citrix Bleed Vulnerability Exploited
AI powered Threat intelligence platform Cyble, during its investigation identified the ongoing exploitation of the CVE-2023-4966 vulnerability. They further noted a swift spread of Proof of Concepts (POCs) for these vulnerabilities across cybercriminal forums
According to the Cyble blog, CVE-2023-4966’s complexity arises from the use of the “snprintf” return value to determine the bytes sent to the client. Researchers initially believed the data inserted into the request required administrator access for configuration.
However, it was later revealed that the payload’s value originated from the HTTP Host header, injecting the hostname into the payload six times and surpassing the buffer limit.
The vulnerability Citrix Bleed, was reportedly exploited by the LockBit group in their attack on Boeing.
Security expert Dominic Alvieri pointed to the potential involvement of LockBit in exploiting Citrix Bleed. “LockBit appears to be exploiting Citrix Bleed CVE-2023-4966,” tweeted Dominic while sharing a screenshot of the LockBit exploit.
While CISA has urged organizations to swiftly patch the vulnerability, according to a recent report, companies are struggling to do so.
Caitlin Condon, head of vulnerability research at Rapid7, notes a persistent pattern of breaches tied to CitrixBleed. “Organizations seem to be struggling to patch actively exploited vulnerabilities quickly,” Condon observed, Cyber Security Dive reported.
The ongoing exploitation of CitrixBleed highlights a significant challenge within the cybersecurity space. Despite the heightened awareness and the clear dangers posed by such vulnerabilities, organizations are lagging in their response times to implement crucial patches.
This sluggishness in fortifying their defenses against known threats highlighting the need for more efficient security protocols and a faster patch management response to safeguard against such persistent cyber threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.