Thursday, February 22, 2024

Citrix Bleed: PoC Released for Citrix NetScaler Zero-Day Vulnerability

Two vulnerabilities were disclosed by Citrix, which were CVE-2023-4966 and CVE-2023-4967, with critical and high severities, respectively. Of these two, CVE-2023-4966 has been released with a publicly available PoC. This vulnerability is associated with a sensitive information disclosure score of 9.4 (Critical).

This vulnerability existed in the Citrix Netscaler ADC and Netscaler Gateway versions before their latest release. However, Citrix has fixed this vulnerability, and patches have been issued.

CVE-2023-4966 – Proof of Concept

For diving deep, the vulnerable devices were looked upon inside the /netscaler/nsppe, the Netscaler packet processing engine containing the complete TCP/IP network stack and multiple HTTP services.

Additionally, the Ghidra tool was used to decompile the nsppe, and BinExport to create a BinDiff file. Comparing the compiled BinDiff file of two vulnerable devices, there were more than 50 different functions.

Two functions, ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config, were found to perform the same function to implement the OpenID Connect Discovery endpoint. Both of these functions are accessible without authentication.

Exploitation

The vulnerability existed on the return value of snprintf, which determines the number of bytes to send for the ns_vpn_send_response. As part of exploitation, snprintf is supplied with an exceeded buffer size of 0x20000 bytes.

Furthermore, a complete Proof of Concept report has been published by AssetNote, providing detailed information on the exploitation methods, detailed steps, and others.

Affected Products

CVE IDAffected ProductsFixed in Version
CVE-2023-4966NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
NetScaler ADC 13.1-FIPS before 13.1-37.164NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS before 12.1-55.300NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP before 12.1-55.300NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Website

Latest articles

Leak of China’s Hacking Documentation Stunned Researchers

In a startling revelation that has sent shockwaves through the cybersecurity community, a massive...

Apex Code Vulnerabilities Let Hackers Steal Salesforce Data

Hackers target Apex code vulnerabilities in Salesforce to exploit security weaknesses, gain unauthorized access...

Beware of New AsukaStealer Steal Browser Passwords & Desktop Screens

An updated version of the ObserverStealer known as AsukaStealer was observed to be advertised as...

US to Pay $15M for Info About Lockbit Ransomware Operator Data

In a significant move against cybercrime, the U.S. government has announced a bounty of...

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles