Citrix Bleed: CVE-2023–4966

Vaibhav Kumar Srivastava
3 min readOct 28, 2023

--

CVE-2023–4966, another vulnerability associated with Citrix, presents a significant concern. This sensitive information disclosure vulnerability permits an attacker to access extensive memory beyond the buffer limits. Notably, the compromised memory contains session tokens, allowing the attacker to impersonate a different authenticated user. This exploit poses a grave threat to system security and user integrity, emphasizing the critical need for immediate attention and remediation.

Affected Systems:
NetScaler ADC and NetScaler Gateway 14.1 before 14.1–8.50
NetScaler ADC and NetScaler Gateway13.1 before 13.1–49.15
NetScaler ADC and NetScaler Gateway13.0 before 13.0–92.19
NetScaler ADC 13.1-FIPS before 13.1–37.164
NetScaler ADC 12.1-FIPS before 12.1–55.300
NetScaler ADC 12.1-NDcPP before 12.1–55.300

Exploitation Demo:

Step 1: Navigate to the endpoint where citrix instance is hosted (Example: https://apps.example.com/logon/LogonPoint/tmindex.html)

Step 2: Check if the openid-configuration details is accessible or not (Example: https://apps.example.com/oauth/idp/.well-known/openid-configuration)

Step 3: Intercept the request in Burp Suite and change the Host parameter with letter “a” * 24576 times to perform the buffer overflow while printing. It has been observed that the memory data is getting leaked in the response.

Step 4: You can use the leaked session ID in response to check if it is a valid session by using the session id as (Cookie: NSC_AAAC=Session_id).

Remediation: Apply Patch or Update: Citrix has released security patches to address this vulnerability.

NOTE: If you are using NetScaler ADC or NetScaler Gateway instances on SDX hardware, you will need to upgrade VPX instances (the underlying SDX hardware, itself, is not affected). NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway (VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as an AAA virtual server (traditional load balancing configurations, for example) and related products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.

Any Automated Tools available to test?

Yes, you can download the tool from GitHub and follow the steps mentioned on the GitHub page to test the same.

URL: https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966

If you want to study more about this CVE, refer to below mentioned articles:

Stay Curious Stay Protected!!

--

--

Vaibhav Kumar Srivastava
Vaibhav Kumar Srivastava

Written by Vaibhav Kumar Srivastava

Penetration Tester | Masters in Information Security

No responses yet