Citrix Bleed Bug Delivers Sharp Blow: Vulnerability is Now Under "Mass Exploitation"

Citrix Bleed Bug: A Critical Vulnerability in Widespread Use

Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware. 

What exactly is Citrix Bleed?

CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault. 

According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA

Attacks on the rise

Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."

He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.

Easy to exploit vulnerabilities 

According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.

The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.

What next? What should companies do to be safe?

Citrix Bleed is similar to Heartbleed, another major information leak vulnerability that rocked the Internet in 2014. This weakness, which was found in the OpenSSL code library, was widely exploited, allowing the theft of passwords, encryption keys, banking credentials, and other sensitive information. Citrix Bleed is less severe because fewer vulnerable devices are in operation.

Citrix Bleed, on the other hand, is still quite awful. All Netscaler devices should be considered hacked by organizations. This involves patching any unpatched devices that remain. Then, all credentials should be rotated to guarantee that any potentially leaked session tokens are expired. Mandiant, a security firm, provides comprehensive security advice here.