Analyst Observations of NetScaler Citrix Bleed Vulnerability
November 2023 by SecurityHQ
On the 10th of October 2023, Citrix announced Citrix Bleed vulnerability (CVE-2023-4966) impacting NetScaler ADC and NetScaler Gateway appliances.
Following this, the SecurityHQ team have observed multiple malicious activities that were initiated by exploiting this vulnerability.
How this Vulnerability Works
This vulnerability allows an unauthenticated attacker to steal session tokens via a specially crafted request and gain access to the active session of an already active NetScaler user. The session stays active unless the legitimate user gets logged out of NetScaler.
Who is Impacted by this Vulnerability?
Any external facing NetScaler ADC and NetScaler gateway devices. View the full list, here.
What is the Risk?
The legitimate user’s sessions will be hijacked. Even if Multifactor Authentication (MFA) is enforced for the user, it won’t be able to protect the session. The Attacker can gain access to all resources that the legitimate users have. The actor can create a backdoor to further perform malicious activities. The Ransomware group "LockBit" has already started to use this vulnerability to gain Initial access into Network. The IP used by the actors to hijack sessions are different in each scenario.
How to Detect Suspicious Behavior in 4 Steps
If you observe that the Client IP and Source IP are not same, that is an indication that the session has been hijacked. Some false positive conditions, if both IP belongs to same Subnet or IP belongs to cloud provider services like Zscaler, Microsoft, Palo Alto.
Check for long running sessions
Check for long running session through the same event "default SSLVPN TCPCONNSTAT" that shows the session end time. Another way is to check for user Logout events by correlating with session ID.
Check user logging from non-business location
This particular use case will not be applicable for session hijack scenario but in case of compromised credentials case, it will be good to check source geographic country of source IP from "Login" event.
Monitor POST requests from "httpaccess-vpn" logs
Check for all ’POST’ requests from "httpaccess-VPN" logs. In successful session hijack scenario, you will see multiple POST request for file path "/var/netscaler/logon/LogonPoint/Authentication/GetUserName".
Also, in previously released vulnerabilities, Webshells are dropped in NetScaler via POST requests.
Recommendations to Users
Patch the NetScaler to the latest version.
Kill all active and persistent sessions.
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions
Enforce MFA for all users on NetScaler. It won’t prevent users from getting hijacked but at least it can prevent interactive login in case of credential compromise.
Create Use Cases on SIEM tool to detect the session hijack and other suspicious patterns.
Block all IOCs provided by Threat Intel platforms.
Place the NetScaler behind firewall and country-based restrictions can be enforced.
Always have 24X7 SOC monitoring to detect suspicious activities proactively.