Take these important actions now to mitigate vulnerabilities in NetScaler ADC and NetScaler Gateway products

On Oct 10, 2023, Citrix released a security bulletin for two previously unknown zero-day vulnerabilities: CVE-2023-4966 and CVE-2023-4967. These vulnerabilities affect the NetScaler ADC and NetScaler Gateway products. When exploited, they allow an attacker to take over an active session, effectively impersonating a trusted user.

Citrix recommends the following actions to mitigate the vulnerabilities:

1. Kill all active sessions to the NetScaler ADC and Gateway products.
2. Immediately upgrade vulnerable products to unimpacted versions.

In addition to performing the recommended actions from Citrix, potentially impacted organizations should take the following precautions as part of their incident response process:

Note: The following response steps should be performed before upgrading the vulnerable products to avoid overwriting pertinent artifacts. Once the artifacts are preserved, continue with upgrading the vulnerable products.

1. Preserve log and appliance information:
   1. Create a snapshot of the NetScaler products including its memory.
   2. Preserve log information from the NetScaler products, Web Application Firewalls, Load Balancers, and any other devices in front of the NetScaler products.
2. Review logs for abnormal web requests originating from suspicious IP addresses.
   1. Geolocate IP addresses to determine if non-authorized users attempted connection.
   2. Look for requests to ‘oauth/idp/.well-known/openid-configuration’ or other configuration and administration URLs.
   3. Correlate sessions to IP addresses to identify if a single session has more than one associated IP address.
3. Depending on the above findings, additional forensic analysis may be necessary to examine internal host systems to identify additional post-exploitation activity.

Additional steps for mitigation if abnormal access is identified:

• Consider changing all NetScaler ADC and Gateway passwords.
• Revoke and reissue SSL certificates.
• Change Active Directory NetScaler account passwords.
• Consider performing a user account audit of Active Directory.

Additional Resources

• NetScaler instructions to kill all sessions
• NIST CVE-2023-4966 Detail
• NIST CVE-2023-4967 Detail
• CISA Guidance on CVE-2023-4966

Check out IronGate’s Digital Forensics and Incident Response capabilities: