CVE-2023-4966: LockBit Exploits Citrix Bleed in Ransomware Attacks

Effective Threat Exposure Management

Understand the 4 trade-offs that limit modern security teams to properly manage their organization’s threat exposure.

DOWNLOAD BLUE REPORT

On November 16, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on the LockBit ransomware group adopting Citrix Bleed CVE-2023-4966 vulnerability [1]. The vulnerability allows adversaries to bypass password requirements and multi-factor authentication (MFA), causing adversaries to take control of the user sessions on Citrix NetScaler ADC and Gateway appliances. CVE-2023-4966 has a CVSS score of 9.4 (Critical) and is actively being exploited by cyber threat actors.

In this blog, we explained the Citrix CVE-2023-4966 vulnerability and how organizations can defend against Citrix Bleed attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Citrix Bleed: Citrix NetScaler CVE-2023-4966 Vulnerability Explained

Citrix NetScaler Application Delivery Controller (ADC) and Gateway are networking products used for enhancing the performance, security, and availability of applications and services delivered over a network. Citrix NetScaler ADC primarily focuses on optimizing and securing the delivery of applications within a network, and NetScaler Gateway focuses on providing secure remote access to those applications and corporate resources. Both products are commonly used in enterprise environments to improve application performance, security, and accessibility for both on-premises and remote users.

On October 10, 2023,  Citrix disclosed a security bulletin for an authentication bypass vulnerability affecting NetScaler ADC and Gateway appliances. The CVE-2023-4966 vulnerability is also dubbed as Citrix Bleed and has a CVSS score of 9.4 (Critical).

CVE-2023-4966 allows adversaries to remotely bypass authentication and MFA. Moreover, the vulnerability does not require user interaction or compromising privileged accounts, and its exploit is low-complexity. For NetScaler ADC and Gateway appliances to be vulnerable, they need to be configured as a Gateway or a AAA virtual server. The CVE-2023-4966 vulnerability affects the Citrix products given below.

Product Name

Fixed Versions

NetScaler ADC

14.1-8.50  and later releases

13.1-49.15  and later releases of 13.1

13.0-92.19 and later releases of 13.0 

13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 

12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS  

12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP 

NetScaler Gateway

14.1-8.50  and later releases

13.1-49.15  and later releases of 13.1

13.0-92.19 and later releases of 13.0 

Many recent cyber-attacks indicate that threat actors adopt Citrix Bleed attacks in their arsenal and exploit them as an initial access vector. In their latest advisory, CISA highlighted that LockBit ransomware operators exploited Citrix Bleed vulnerability to infect organizations with ransomware. The victims of these ransomware attacks are from various industries worldwide. Some of the high-profile victims are Boeing, Industrial & Commercial Bank of China (ICBC), DP World, and Allen & Overy.  Due to ease of exploitation and publicly available proof-of-concept exploits, organizations are advised to patch their vulnerable Citrix NetScaler ADC and Gateway appliances as soon as possible.

How CVE-2023-4966 Citrix Bleed Exploit Works?

NetScaler ADC and Gateway products use the NetScaler Packet Processing Engine (nsppe) to handle TCP/IP connections and HTTP services.  In vulnerable NetScaler ADC and Gateway products, the nsspe binary that implements the OpenID Connect Discovery endpoint is vulnerable to buffer overflow attacks [2]. If adversaries send a maliciously crafted HTTP request to this endpoint with a too-long Host header, the vulnerable endpoint returns the leaked memory in the response. When too much memory is leaked, adversaries can read a valid session cookie of a legitimate user and bypass authentication. 

//Attacker-crafted GET request

GET /oauth/idp/.well-known/openid-configuration HTTP/1.1
Host: a ...<too_many>...a

Connection: close

Citrix Bleed CVE-2023-4966 Vulnerability Exploit Example

After the patch, Citrix fixed the vulnerability by limiting the allowed buffer for user inputs. Organizations are advised to patch their vulnerable Citrix NetScaler ADC and Gateway appliances.

LockBit Exploits Citrix Bleed in the Boeing Ransomware Attack

LockBit is a sophisticated ransomware group that has gained notoriety for its high-profile ransomware and data extortion attacks. Operating as a ransomware-as-a-service (RaaS) model, LockBit provides its ransomware payloads to affiliates who carry out the actual attacks. The group first emerged in 2019 and has since evolved, using advanced encryption techniques to lock victims' files and demanding ransoms in exchange for decryption keys. There are multiple ransomware variants developed by LockBit, and they remain one of the most infamous ransomware groups in the cyber threat landscape.

As a sophisticated ransomware group, LockBit is quick to adopt new techniques and initial access vectors to its arsenal. In recent Boeing ransomware attacks, LockBit used Citrix Bleed vulnerability as an initial access vector and was able to steal and encrypt the victim's sensitive data. The malware infection in the Boeing campaign started with a malicious PowerShell script. This script creates a DLL file named adobelib.dll, and the DLL file tries to send a POST request to an adversary-controlled website. Other than these activities, LockBit operators followed similar Tactics, Techniques, and Procedures (TTPs) in their other campaigns. To learn more about LockBit, you can check our previous blog posts on LockBit, LockBit 2.0, and LockBit 3.0 ransomware variants.

How Picus Helps Simulate CVE-2023-4966 Citrix Bleed Attacks?

We also strongly suggest simulating the Citrix Bleed vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, ProxyShell, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Citrix Bleed CVE-2023-4966 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

40431

Netscaler Server Web Attack Campaign

Web Application

94722

Citrix Bleed Campaign Backdoor Malware Download Threat

Network Infiltration

45723

Citrix Bleed Campaign Backdoor Malware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Citrix Bleed CVE-2023-4966 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Citrix CVE-2023-4966 vulnerability:

Security Control

Signature ID

Signature Name

Checkpoint NGFW

asm_dynamic_prop_CVE_2023_4966

Citrix NetScaler Information Disclosure (CVE-2023-4966)

Fortigate IPS

27845

misc: HTTP.Header.Overly.Long.Host.Field.Value

Palo Alto

32148

Over-long HTTP Host Header Detected

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

References

[1] "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a. [Accessed: Nov. 23, 2023]

[2] "Citrix Bleed: Leaking Session Tokens with CVE-2023-4966." Available: https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966. [Accessed: Nov. 23, 2023]