Unveiling Citrix Bleed: Maintaining privacy in the wake of multi-factor authentication bypass
In the rapidly changing landscape of cybersecurity, a recently discovered vulnerability affecting Citrix Netscaler ADC and Netscaler Gateway raises concerns about the effectiveness of multi-factor authentication for unpatched Citrix users. The flaw, known as CVE-2023-4966 or “Citrix Bleed” was first identified by Citrix on October 10, 2023. Citrix has warned that “exploits of CVE-2023-4966 on unmitigated appliances have been observed.”
Citrix is a commonly used software by businesses and allows users to securely access applications and desktops remotely. Citrix Bleed impacts NetScaler gateways, which are used to provide secure remote access to applications and desktops hosted on Citrix virtual apps and desktop servers. The nickname “Citrix Bleed” was given due to the vulnerability’s capacity to expose sensitive data, including session tokens, from a device’s memory. Unauthorized actors can then use the acquired session tokens to gain access and take control of a victim’s network without a password or using multifactor authentication.
The vulnerability has been given a severity score of 7.5 out of 10 by the National Institute of Science and Technology (NIST), which is regarded as “high” risk. Citrix itself listed the flaw as a 9.4 out of 10, which classified the risk as “critical.” The cybersecurity firm Mandiant identified threat actors exploiting the Citrix Bleed vulnerability in the wild beginning in late August 2023, when the security flaw was still a zero day. Additionally, Mandiant’s preliminary investigation of threat actor activity following the successful exploitation of the vulnerability includes network reconnaissance of the victim’s environment, credential harvesting, and lateral movement via remote desktop protocol. The LockBit ransomware group has exploited the Citrix Bleed vulnerability to launch attacks against the Industrial and Commercial Bank of China, the logistics firm DP World, Allen & Overy, and Boeing.
Citrix released firmware updates to patch the vulnerability on October 10, 2023. However, even with Citrix’s patch available, there are an estimated 5,500 to 20,000 unpatched devices that remain unprotected against this vulnerability.
Protect your organization from Citrix Bleed
Organizations that utilize Citrix should take the following steps to mitigate their risk of becoming a victim of Citrix Bleed:
- Implement Citrix’s security update and install the updated versions of Netscaler ADC and NetScaler Gateway as soon as possible.
- Revoke all active and persistent sessions. Even after the security patch is installed, session tokens persist. Therefore, organizations should still revoke all sessions in the event an unauthorized actor obtained a legitimate session token prior to installing the patch.
- Advise employees to remain vigilant. While organizations often focus their security efforts implementing internal controls and keeping systems up to date, a well-trained workforce is key in protecting any organization from a breach occurring in the first place.
With cybersecurity threats at an all-time high, businesses should always remain watchful for security updates to harden their environment against malicious actors. If you have any concerns about vulnerability to attacks or other breaches, questions about your company’s compliance with cyber regulations, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.