Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed

Note: CISA will continue to update this webpage as we have further guidance to impart.

Summary

CISA and our partners are responding to active, targeted exploitation of a vulnerability, CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway. The vulnerability is also known as Citrix Bleed. The affected products contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.

Exploitation of this vulnerability could allow for the disclosure of sensitive information, including session authentication token information that may allow a threat actor to “hijack” a user’s session[1].

Technical Details

On Oct. 10, 2023, Citrix released security updates to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.

On Oct. 17, Citrix updated its Alert to include “exploits of CVE-2023-4966 on unmitigated appliances have been observed.”

On Oct. 18, CISA added an entry for CVE-2023-4966 to its Known Exploited Vulnerabilities (KEV) catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966.

On Oct. 23, Citrix released a blog, providing recommended next steps and a link to Mandiant’s Oct. 17 guidance for remediating and reducing risks related to CVE-2023-4966: Remediation for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966).

CISA urges organizations to update unmitigated appliances to the updated versions listed below, hunt for any malicious activity, and report any positive findings to CISA. 

• NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
• NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
• Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Resources

This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

Mitigation Guidance

• Citrix Blog: CVE-2023-4966: Critical security update now available for NetScaler ADC and NetScaler Gateway
• Citrix Advisory: NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966
• Citrix NetScaler secure deployment guide: Best practices for NetScaler MPX, VPX, and SDX security.

Additional Resources

• CISA: BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces
• Mandiant:
  • Remediation for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966)
  • Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966)
• Assetnote: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
• Palo Alto Networks: Threat Brief: Citrix Bleed CVE-2023-4966