Citrix Bleed: PoC Released for Citrix NetScaler Zero-Day Vulnerability

Two vulnerabilities were disclosed by Citrix, which were CVE-2023-4966 and CVE-2023-4967, with critical and high severities, respectively. Of these two, CVE-2023-4966 has been released with a publicly available PoC. This vulnerability is associated with a sensitive information disclosure score of 9.4 (Critical).

This vulnerability existed in the Citrix Netscaler ADC and Netscaler Gateway versions before their latest release. However, Citrix has fixed this vulnerability, and patches have been issued.

CVE-2023-4966 – Proof of Concept

For diving deep, the vulnerable devices were looked upon inside the /netscaler/nsppe, the Netscaler packet processing engine containing the complete TCP/IP network stack and multiple HTTP services.

- Advertisement -

Additionally, the Ghidra tool was used to decompile the nsppe, and BinExport to create a BinDiff file. Comparing the compiled BinDiff file of two vulnerable devices, there were more than 50 different functions.

Two functions, ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config, were found to perform the same function to implement the OpenID Connect Discovery endpoint. Both of these functions are accessible without authentication.

Exploitation

The vulnerability existed on the return value of snprintf, which determines the number of bytes to send for the ns_vpn_send_response. As part of exploitation, snprintf is supplied with an exceeded buffer size of 0x20000 bytes.

Furthermore, a complete Proof of Concept report has been published by AssetNote, providing detailed information on the exploitation methods, detailed steps, and others.

Affected Products

Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.