Earlier this month, Citrix published a vulnerability discovered in hardware sold by the company and recommended customers updated versions of NetScaler ADC and NetScaler Gateway. A week following the advisory, Mandiant reported that the vulnerability had been used as a zero-day exploit in the wild as early as August 2023, observing exploitation at professional services, technology, and government organizations. The vulnerability is currently being actively exploited by threat actors with a severity rating of 9.4 out of 10, and bypassing multifactor authentication. Which makes this very bad. And it has been dubbed “Citrix Bleed”.
Avishai Avivi, CISO, SafeBreach
It is always bad news when a vulnerability comes under mass exploitation. As the Clop ransomware group’s exploitation of GoAnywhere and MoveIT showed, this will often result in millions of compromised records. This recent Citrix NetScaler vulnerability may become the next mass exploit with some notable differences.
NetScaler, unlike the software mentioned above, is specifically meant to serve as a security device. The mechanism that threat actors are exploiting, the Multi-Factor Authentication (MFA) mechanism, is itself a mechanism that boosts the overall security of the device. The other notable aspect is the timeline surrounding this particular vulnerability. More specifically, security researchers reported exploitation of this vulnerability to Citrix in late August 2023. Citrix released a patch and bulletin on October 10, 2023. Several reports show that, as of today, nearly three weeks after the bulletin, thousands of Citrix NetScaler devices remain unpatched and vulnerable.
I view Citrix’s response with mixed feelings. On the one hand, they promptly issued a patch for a critical vulnerability. On the other, they were too relaxed in communicating the urgency of this patch to their customers. This lack of urgency gets compounded when network and security administrators responsible for these devices fail to patch high and critical severity vulnerabilities. This failure indicates a flawed vulnerability management program. Critical and high-severity vulnerabilities should never remain unpatched or unmitigated for over a week, let alone three.
Tom Marsland, VP of Technology, Cloud Range
This vulnerability, designated CVE-2023-4966, now nicknamed “Citrix Bleed,” demonstrates what can happen when devices go unpatched. It’s not important enough that organizations track and remediate vulnerabilities. They must prioritize them, which means having cybersecurity experts who understand the vulnerabilities and the risk their company is under with these vulnerabilities. This goes to highlight the cybersecurity shortage occurring at the mid-level across the industry.
This vulnerability has a CVSSv3 score of 9.4 – it was first observed in late August, and a patch was released on October 10th. Three weeks should be plenty of time to investigate vulnerabilities and patch them in (at least) the public-facing environment – the fact that this is not occurring on some estimated 20,000 cases, again, highlights poor vulnerability management/asset tracking programs and an understaffed cybersecurity workforce at large. Not until we push cybersecurity education further down into our K-12 school systems and provide hands-on, competency-based training for our industry professionals, do I think we’ll truly be able to wrap our hands around this problem.
I am now just bracing myself for a new round of ransomware attacks because of this vulnerability on a similar scale of what has been seen with MOVEit. This sort of situation I used to think was the worst case scenario. But now it seems to be the norm. And that’s bad for all of us and needs to change.