Get a Quote

Frequently Asked Questions for CitrixBleed (CVE-2023-4966)

Frequently asked questions relating to a critical vulnerability in Citrix NetScaler that has been under active exploitation for over a month, including by ransomware groups.

Background

The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding a critical vulnerability known as CitrixBleed.

FAQ

What is CitrixBleed?

CitrixBleed (or “Citrix Bleed”) is a name given to a critical vulnerability in Citrix NetScaler ADC and Gateway. Researchers at Assetnote are credited with naming this vulnerability. A logo for CitrixBleed was created by security researcher Kevin Beaumont.

When was this vulnerability first disclosed?

On October 10, Citrix published its security bulletin, identified as CTX579459, detailing this vulnerability along with a separate flaw.

What are the CVE details for the vulnerabilities patched on October 10?

As part of CTX579459, Citrix patched two vulnerabilities, CVE-2023-4966, also known as CitrixBleed, along with a denial of service (DoS) vulnerability:

CVEDescriptionCVSSv3SeverityCVE-2023-4966Citrix NetScaler ADC and Gateway Sensitive Information Disclosure Vulnerability (“CitrixBleed”)9.4CriticalCVE-2023-4967Citrix NetScaler ADC and Gateway DoS Vulnerability8.2High

We published a blog post for both vulnerabilities on October 18.

What makes CitrixBleed so severe?

CitrixBleed is e​​xtremely simple to exploit and the consequences of exploitation make this vulnerability severe. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable endpoint on a NetScaler ADC or Gateway instance.

By exploiting CitrixBleed, an attacker could obtain valid session tokens from the vulnerable device’s memory. With the possession of valid session tokens, an attacker can replay them back in order to bypass authentication.

Was this exploited as a zero-day?

Yes, according to researchers at Mandiant, they were able to find evidence of zero-day exploitation back in August.

Has in-the-wild exploitation been observed since this vulnerability became public?

Yes, Citrix, our partners at GreyNoise and Kevin Beaumont have all observed in-the-wild exploitation of this vulnerability since at least October 23.

Which threat actors are exploiting CitrixBleed?

As of November 20, there are multiple threat actors exploiting CitrixBleed:

Threat Group/Actor NameTypeSourceLockBit 3.0RansomwareKevin BeaumontMedusaRansomwareKevin BeaumontUncategorized Group #1UnknownMandiantUncategorized Group #2UnknownMandiantUncategorized Group #3UnknownMandiantUncategorized Group #4UnknownMandiant

This is not an exhaustive list and specific details about the uncategorized groups are not yet known at this time.

Who are LockBit 3.0 and Medusa and what are their motivations?

LockBit 3.0 and Medusa are two active ransomware groups that have been observed exploiting CitrixBleed as part of attacks against organizations.

Typically, ransomware groups conduct what is known as double extortion, whereby they encrypt files on systems within a network while simultaneously stealing sensitive information from these networks and threatening to leak this stolen data on the dark web if a ransom demand is not paid.

Double extortion attacks are what have fueled the success of ransomware over the years. However, over the last year, ransomware groups are choosing to bypass the encryption stage of their attacks, focusing solely on exfiltration and threaten to publish the stolen information. Ultimately, the motivation of these attackers are not to disrupt operations, but instead to profit from these attacks.

Are the ransomware groups themselves launching these attacks?

No, the groups themselves are often not the ones behind the attacks. They are responsible for developing and providing the ransomware and infrastructure to individuals known as affiliates. Affiliates partner with ransomware groups to conduct the attacks, steal sensitive information and distribute the ransomware payloads within a network. For their efforts, affiliates receive a large portion of the ransomware payout.

For more information about affiliates and ransomware groups, please check out our report on The Ransomware Ecosystem.

Are there any specific industries being targeted by this vulnerability?

Public reporting suggests that this vulnerability is currently being used to target organizations across multiple industries across the world including finance, government organizations, technology, professional services, legal, freight and defense.

Do we know how many vulnerable NetScaler ADC and Gateway instances there are?

There have been two different reports highlighting vulnerable NetScaler ADC and Gateway instances accessible on the internet. BleepingComputer cited a security researcher named Yutaka Sejiyama, who says there were 10,400 Citrix servers vulnerable to CitrixBleed as of November 14 while Kevin Beaumont said that there are around 5,000 unpatched servers online as of November 7.

Is there a proof-of-concept (PoC) available for this vulnerability?

Yes, researchers at Assetnote published a PoC for this vulnerability on October 23.

Are patches available for CitrixBleed?

Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:

Affected ProductAffected VersionFixed VersionNetScaler ADC and NetScaler GatewayPrior to 13.0-92.1913.0-92.19 and later releases of 13.0Prior to 13.1-49.1513.1-49.15 and later releases of 13.1Prior to 14.1-8.5014.1-8.50 and later releasesNetScaler ADC 12.1-NDcPPPrior to 12.1-55.30012.1-55.300 and later releases of 12.1-NDcPPNetScaler ADC 12.1-FIPSPrior to 12.1-55.30012.1-55.300 and later releases of 12.1-FIPSNetScaler ADC 13.1-FIPSPrior to 13.1-37.16413.1-37.164 and later releases of 13.1-FIPS

Version 12.1 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.

If I’ve patched CitrixBleed already, is my network safe?

Because CitrixBleed allows an attacker to steal valid session tokens, these session tokens can be replayed against the system irrespective of the patching status. So long as these stolen session tokens persist and are in the possession of an attacker, they can be reused.

Additionally, Kevin Beaumont notes that ransomware groups like LockBit are maintaining access to compromised networks by installing remote access tools like Atera, a remote monitoring & management (RMM) tool.

Whether patches have been applied or not, organizations that use NetScaler ADC and Gateway should assume compromise and begin an incident response investigation.

How do we stop attackers from leveraging stolen session tokens?

As outlined in this Citrix blog, once the available patches have been applied, there are a set of commands that can be run to kill active and persistent sessions, thereby thwarting attackers ability to replay the valid session tokens back even if a system has been patched.

Has Tenable released any product coverage for CitrixBleed?

Yes, please refer to the Identifying Affected Systems section below for more information.

Timeline

DateDetailsMilestoneAugust 2023On October 17, researchers at Mandiant looked back and found evidence of exploitation of a Citrix NetScaler zero-dayZero-Day ExploitationOctober 10, 2023Citrix publishes security bulletin CTX579459 to address two vulnerabilities in NetScaler ADC and Gateway including CVE-2023-4966Public DisclosureOctober 17, 2023Mandiant publishes its blog post on the discovery of zero-day exploitation of CVE-2023-4966Historical InsightOctober 23, 2023Researchers at GreyNoise add a tag for CVE-2023-4966 to track associated activityMonitoring for ExploitationAssetnote publishes its proof-of-concept (PoC) to GitHubProof-of-Concept PublishedOctober 24, 2023GreyNoise identifies first in-the-wild exploitation attempts for CVE-2023-49666Exploitation DetectedOctober 25, 2023Researchers at Assetnote publish a blog post naming the vulnerability “Citrix Bleed” and providing technical details and highlights its PoCNamed Vulnerability, Technical Details SharedResearcher Kevin Beaumont says vulnerability is being “mass exploited in the wild for about a month” and highlights ease of exploitationAdditional Details, Confirmed Exploitation ActivityOctober 27, 2023Beaumont reiterates mass exploitation, publishes blog post that reveals that a ransomware group is leveraging it as part of attacksExploited by First Ransomware GroupOctober 28, 2023Over 20,000 NetScaler systems have been exploited according to BeaumontMass Exploitation ActivityNovember 11, 2023LockBit ransomware group is confirmed to be using CitrixBleed in attacks against a variety of industries including finance, freight, legal and defenseWidespread Exploitation of Vulnerability by LockBit AffiliatesNovember 14, 2023A second ransomware group, Medusa, has also begun exploiting this vulnerability in attacksExploited by Second Ransomware GroupSecurity researcher Yutaka Sejiyama shared with BleepingComputer that over 10,400 Citrix servers are still vulnerable to CVE-2023-4966 with nearly a third (30%) in the United StatesUpdated Attack Surface

Identifying affected systems

The following plugins for CVE-2023-4966 and CVE-2023-4967 are available. Customers are advised to use these plugins to identify vulnerable assets.

Plugin IDTitleType183026NetScaler ADC and NetScaler Gateway Multiple Vulnerabilities (CTX579459)Version Check114100Citrix Gateway / ADC Sensitive Information ExposureTenable Web App Scanning (formerly Tenable.io Web Application Scanning)Remote Check

Get more information

Tenable Blog Post for CVE-2023-4966 (“Citrix Bleed”)CTX579459: Citrix Security Bulletin for CVE-2023-4966, CVE-2023-4967Assetnote Blog: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966Mandiant Blog: Zero-Day Exploitation of CitrixBleedNetScaler Cloud Software Group Blog Post on CVE-2023-4966Greynoise Blog: Widespread Attacks Using CVE-2023-4966Kevin Beaumont Blog: Mass Exploitation of CitrixBleed including Ransomware GroupMandiant Blog: Investigation of Session Hijacking via CVE-2023-4966Kevin Beaumont: LockBit Strike Team and CitrixBleedBleepingComputer: LockBit Exploits Citrix Bleed, 10K Servers Exposed

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 

​  

More To Explore

TinyDir 1.2.5 Buffer Overflow

TinyDir versions 1.2.5 and below suffer from a buffer overflow vulnerability with long path names.   Exploit Files ≈ Packet Storm   

December 4, 2023

Popular Keywords

Categories

No Record Found

View All Results

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

See How it Works

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report

Find Security Gaps that Matters

Get Started with Cyber Legion

Let us demonstrate how we can help you secure your business and give you peace of mind.

Are you ready for a Demo?          Schedule Free a Call or Contact us

Free Demo
Color logo with background

Follow us

Linkedin Twitter Facebook Youtube Medium Github

Share Page

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Share on reddit
Reddit
Share on whatsapp
WhatsApp
Quick Links
Our Office
Company
Subscribe

Get free security guidelines and updates that help protect your business against the latest cyber threats & attacks.

All rights reserved 2023 ®Cyber Legion Ltd, Registered in England & Wales, company number 13278010

Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.