Secure peace of mind with Cyber Legion—Your Trusted Cybersecurity Partner.

Speak With a Security Expert

Elevate your cybersecurity posture with our expert and strategic security solutions

Experience the assurance of CREST Certified Penetration Testing services

Frequently Asked Questions for CitrixBleed (CVE-2023-4966)

Frequently asked questions relating to a critical vulnerability in Citrix NetScaler that has been under active exploitation for over a month, including by ransomware groups.

Background

The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding a critical vulnerability known as CitrixBleed.

FAQ

What is CitrixBleed?

CitrixBleed (or “Citrix Bleed”) is a name given to a critical vulnerability in Citrix NetScaler ADC and Gateway. Researchers at Assetnote are credited with naming this vulnerability. A logo for CitrixBleed was created by security researcher Kevin Beaumont.

When was this vulnerability first disclosed?

On October 10, Citrix published its security bulletin, identified as CTX579459, detailing this vulnerability along with a separate flaw.

What are the CVE details for the vulnerabilities patched on October 10?

As part of CTX579459, Citrix patched two vulnerabilities, CVE-2023-4966, also known as CitrixBleed, along with a denial of service (DoS) vulnerability:

CVEDescriptionCVSSv3SeverityCVE-2023-4966Citrix NetScaler ADC and Gateway Sensitive Information Disclosure Vulnerability (“CitrixBleed”)9.4CriticalCVE-2023-4967Citrix NetScaler ADC and Gateway DoS Vulnerability8.2High

We published a blog post for both vulnerabilities on October 18.

What makes CitrixBleed so severe?

CitrixBleed is e​​xtremely simple to exploit and the consequences of exploitation make this vulnerability severe. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable endpoint on a NetScaler ADC or Gateway instance.

By exploiting CitrixBleed, an attacker could obtain valid session tokens from the vulnerable device’s memory. With the possession of valid session tokens, an attacker can replay them back in order to bypass authentication.

Was this exploited as a zero-day?

Yes, according to researchers at Mandiant, they were able to find evidence of zero-day exploitation back in August.

Has in-the-wild exploitation been observed since this vulnerability became public?

Yes, Citrix, our partners at GreyNoise and Kevin Beaumont have all observed in-the-wild exploitation of this vulnerability since at least October 23.

Which threat actors are exploiting CitrixBleed?

As of November 20, there are multiple threat actors exploiting CitrixBleed:

Threat Group/Actor NameTypeSourceLockBit 3.0RansomwareKevin BeaumontMedusaRansomwareKevin BeaumontUncategorized Group #1UnknownMandiantUncategorized Group #2UnknownMandiantUncategorized Group #3UnknownMandiantUncategorized Group #4UnknownMandiant

This is not an exhaustive list and specific details about the uncategorized groups are not yet known at this time.

Who are LockBit 3.0 and Medusa and what are their motivations?

LockBit 3.0 and Medusa are two active ransomware groups that have been observed exploiting CitrixBleed as part of attacks against organizations.

Typically, ransomware groups conduct what is known as double extortion, whereby they encrypt files on systems within a network while simultaneously stealing sensitive information from these networks and threatening to leak this stolen data on the dark web if a ransom demand is not paid.

Double extortion attacks are what have fueled the success of ransomware over the years. However, over the last year, ransomware groups are choosing to bypass the encryption stage of their attacks, focusing solely on exfiltration and threaten to publish the stolen information. Ultimately, the motivation of these attackers are not to disrupt operations, but instead to profit from these attacks.

Are the ransomware groups themselves launching these attacks?

No, the groups themselves are often not the ones behind the attacks. They are responsible for developing and providing the ransomware and infrastructure to individuals known as affiliates. Affiliates partner with ransomware groups to conduct the attacks, steal sensitive information and distribute the ransomware payloads within a network. For their efforts, affiliates receive a large portion of the ransomware payout.

For more information about affiliates and ransomware groups, please check out our report on The Ransomware Ecosystem.

Are there any specific industries being targeted by this vulnerability?

Public reporting suggests that this vulnerability is currently being used to target organizations across multiple industries across the world including finance, government organizations, technology, professional services, legal, freight and defense.

Do we know how many vulnerable NetScaler ADC and Gateway instances there are?

There have been two different reports highlighting vulnerable NetScaler ADC and Gateway instances accessible on the internet. BleepingComputer cited a security researcher named Yutaka Sejiyama, who says there were 10,400 Citrix servers vulnerable to CitrixBleed as of November 14 while Kevin Beaumont said that there are around 5,000 unpatched servers online as of November 7.

Is there a proof-of-concept (PoC) available for this vulnerability?

Yes, researchers at Assetnote published a PoC for this vulnerability on October 23.

Are patches available for CitrixBleed?

Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:

Affected ProductAffected VersionFixed VersionNetScaler ADC and NetScaler GatewayPrior to 13.0-92.1913.0-92.19 and later releases of 13.0Prior to 13.1-49.1513.1-49.15 and later releases of 13.1Prior to 14.1-8.5014.1-8.50 and later releasesNetScaler ADC 12.1-NDcPPPrior to 12.1-55.30012.1-55.300 and later releases of 12.1-NDcPPNetScaler ADC 12.1-FIPSPrior to 12.1-55.30012.1-55.300 and later releases of 12.1-FIPSNetScaler ADC 13.1-FIPSPrior to 13.1-37.16413.1-37.164 and later releases of 13.1-FIPS

Version 12.1 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.

If I’ve patched CitrixBleed already, is my network safe?

Because CitrixBleed allows an attacker to steal valid session tokens, these session tokens can be replayed against the system irrespective of the patching status. So long as these stolen session tokens persist and are in the possession of an attacker, they can be reused.

Additionally, Kevin Beaumont notes that ransomware groups like LockBit are maintaining access to compromised networks by installing remote access tools like Atera, a remote monitoring & management (RMM) tool.

Whether patches have been applied or not, organizations that use NetScaler ADC and Gateway should assume compromise and begin an incident response investigation.

How do we stop attackers from leveraging stolen session tokens?

As outlined in this Citrix blog, once the available patches have been applied, there are a set of commands that can be run to kill active and persistent sessions, thereby thwarting attackers ability to replay the valid session tokens back even if a system has been patched.

Has Tenable released any product coverage for CitrixBleed?

Yes, please refer to the Identifying Affected Systems section below for more information.

Timeline

DateDetailsMilestoneAugust 2023On October 17, researchers at Mandiant looked back and found evidence of exploitation of a Citrix NetScaler zero-dayZero-Day ExploitationOctober 10, 2023Citrix publishes security bulletin CTX579459 to address two vulnerabilities in NetScaler ADC and Gateway including CVE-2023-4966Public DisclosureOctober 17, 2023Mandiant publishes its blog post on the discovery of zero-day exploitation of CVE-2023-4966Historical InsightOctober 23, 2023Researchers at GreyNoise add a tag for CVE-2023-4966 to track associated activityMonitoring for ExploitationAssetnote publishes its proof-of-concept (PoC) to GitHubProof-of-Concept PublishedOctober 24, 2023GreyNoise identifies first in-the-wild exploitation attempts for CVE-2023-49666Exploitation DetectedOctober 25, 2023Researchers at Assetnote publish a blog post naming the vulnerability “Citrix Bleed” and providing technical details and highlights its PoCNamed Vulnerability, Technical Details SharedResearcher Kevin Beaumont says vulnerability is being “mass exploited in the wild for about a month” and highlights ease of exploitationAdditional Details, Confirmed Exploitation ActivityOctober 27, 2023Beaumont reiterates mass exploitation, publishes blog post that reveals that a ransomware group is leveraging it as part of attacksExploited by First Ransomware GroupOctober 28, 2023Over 20,000 NetScaler systems have been exploited according to BeaumontMass Exploitation ActivityNovember 11, 2023LockBit ransomware group is confirmed to be using CitrixBleed in attacks against a variety of industries including finance, freight, legal and defenseWidespread Exploitation of Vulnerability by LockBit AffiliatesNovember 14, 2023A second ransomware group, Medusa, has also begun exploiting this vulnerability in attacksExploited by Second Ransomware GroupSecurity researcher Yutaka Sejiyama shared with BleepingComputer that over 10,400 Citrix servers are still vulnerable to CVE-2023-4966 with nearly a third (30%) in the United StatesUpdated Attack Surface

Identifying affected systems

The following plugins for CVE-2023-4966 and CVE-2023-4967 are available. Customers are advised to use these plugins to identify vulnerable assets.

Plugin IDTitleType183026NetScaler ADC and NetScaler Gateway Multiple Vulnerabilities (CTX579459)Version Check114100Citrix Gateway / ADC Sensitive Information ExposureTenable Web App Scanning (formerly Tenable.io Web Application Scanning)Remote Check

Get more information

Tenable Blog Post for CVE-2023-4966 (“Citrix Bleed”)CTX579459: Citrix Security Bulletin for CVE-2023-4966, CVE-2023-4967Assetnote Blog: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966Mandiant Blog: Zero-Day Exploitation of CitrixBleedNetScaler Cloud Software Group Blog Post on CVE-2023-4966Greynoise Blog: Widespread Attacks Using CVE-2023-4966Kevin Beaumont Blog: Mass Exploitation of CitrixBleed including Ransomware GroupMandiant Blog: Investigation of Session Hijacking via CVE-2023-4966Kevin Beaumont: LockBit Strike Team and CitrixBleedBleepingComputer: LockBit Exploits Citrix Bleed, 10K Servers Exposed

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 

​  

More To Explore