Hackers Actively Exploiting Big-IP and Citrix Vulnerabilities

Experts issued security alerts concerning the ongoing exploitation of Big-IP (CVE-2023-46747, CVE-2023-46748) and Citrix (CVE-2023-4966) vulnerabilities.

The publicly available Proof of Concepts (POCs) for these vulnerabilities were rapidly circulated in cybercrime forums.

Over 20,000 “Netscaler” instances and 1,000 “Big IP” instances are available online.

These systems might be attractive targets for attackers and might be exposed to current security flaws, according to Cyble researchers.

Details of the BIG IP Vulnerabilities:

The vulnerability, identified as CVE-2023-46747, allows an attacker having network access to the BIG-IP system over the management port and/or self-IP addresses to execute arbitrary system instructions.

Undisclosed requests could bypass configuration utility authentication.

The next vulnerability is tracked as CVE-2023-46748 in the BIG-IP Configuration utility. It allows an authenticated attacker to execute arbitrary system commands if they have network access to the Configuration utility through the BIG-IP management port or self-IP addresses.

F5 BIG-IP Virtual Edition is linked to CVE-2023-46747 and CVE-2023-46748. F5 has identified threat actors as using the CVE-2023-46747 vulnerability to launch attacks that take advantage of CVE-2023-46748.

Praetorian Labs security professionals found these vulnerabilities and made the information public on October 26, 2023.

They discovered an authentication bypass flaw that had the ability to result in a full compromise of F5 systems with an exposed Traffic Management User Interface (TMUI).

BIG-IP Versions Known to be Vulnerable:

• 17.1.0
• 16.1.0 – 16.1.4
• 15.1.0 – 15.1.10
• 14.1.0 – 14.1.5
• 13.1.0 – 13.1.5

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Try StorageGuard for Free

Mitigation

To mitigate this issue, you can run the script provided in the F5 advisory for BIG-IP versions 14.1.0 and later.

Citrix Vulnerability

With a critical CVSS score of 9.4, CVE-2023-4966 is categorized as a “sensitive information disclosure” vulnerability. Its elevated score for an information disclosure vulnerability makes it noteworthy.

Researchers at Assetnote examined and documented the exploitation of CVE-2023-4966.

Vulnerable Software Version(s)

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Mitigation

Customers of NetScaler ADC and NetScaler Gateway are strongly encouraged by Citrix to install the appropriate upgraded versions of these products as soon as possible:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-49.15  and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Since attackers are currently targeting the vulnerabilities, it is recommended that mitigations be applied as soon as possible.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.