On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, which affects NetScaler ADC and NetScaler Gateway. If exploited, CVE-2023-4966 can result in unauthorized data disclosure. This vulnerability was discovered by our internal team, and at the time of disclosure, we were not aware of any exploits in the wild.
We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability.
You can find details in the security bulletin.
If you are using affected builds and have configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, we strongly recommend that you immediately install the recommended builds because this vulnerability has been identified as critical. No workarounds are available for this vulnerability.
In both this communication and the related security bulletin, we are sharing limited technical details to protect our customers from exploits leveraging this vulnerability within NetScaler to conduct session hijacking of other systems.
The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. Additionally, Mandiant has provided guidance. If you are a Citrix-managed cloud service or Citrix-managed Adaptive Authentication customer, no action is required. This guidance applies to customer-managed NetScaler ADC or NetScaler Gateway only.
Recommended next steps
If you are using any of the affected builds listed in the security bulletin, you should update immediately by installing the recommended builds. In addition, we also recommend killing all active and persistent sessions using the following commands:
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions
Note: Please ensure that the formatting remains intact as you copy and paste these commands.
If you are using NetScaler ADC or NetScaler Gateway instances on SDX hardware, you will need to upgrade VPX instances (the underlying SDX hardware, itself, is not affected).
NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway (VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as an AAA virtual server (traditional load balancing configurations, for example) and related products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.
Update installation
Permanent fixes are available to download for NetScaler ADC and NetScaler Gateway:
For an overview of the steps to identify and remediate vulnerable NetScaler ADCs through NetScaler Application Delivery Management (formerly Citrix ADM), please watch this video.
We recommend following the NetScaler secure configuration and deployment guide.
Learn more and stay up to date
- Read the security bulletin
- Sign up for security bulletin notifications
- Consult the best practices deployment guide
Technical assistance
NetScaler and Citrix are both business units of Cloud Software Group, and we share the same ticketing system. If you encounter issues when you are updating your affected builds, please contact Citrix Customer Support, irrespective of whether your product includes NetScaler branding or Citrix branding.
FAQs
As a NetScaler customer, what should I do now?
Exploits of this vulnerability have been reported. If you are using the affected builds of NetScaler ADC and NetScaler Gateway, we strongly urge you to install the updated builds as soon as possible, as instructed in the security bulletin.
When did Mandiant discover the incident and report it to Cloud Software Group?
Mandiant reported an apparent exploitation of the vulnerability to Cloud Software Group after our October 10 disclosure of CVE-2023-4966. As Mandiant conducted intrusion investigations after October 10, Mandiant discovered evidence that resulted in its public report on October 17 that the zero-day exploitation occurred in late August 2023.
What is the impact of this vulnerability?
An unauthenticated attacker can perform unauthorized data disclosure and possibly session hijacking. Please refer to the security bulletin.
Is Cloud Software Group planning to deliver a code fix?
Yes, Cloud Software Group has delivered a code fix. Please refer to the security bulletin.
Is there a workaround or mitigation that I can use instead of updating?
No workarounds or mitigations are available beyond upgrading to a build that addresses the vulnerability as described in the security bulletin.
How urgent is it for me to fix my deployment?
If you are using an affected build, we urge you to install the recommended updates immediately, as this vulnerability has been identified as critical. We are aware of targeted attacks in the wild using this vulnerability.
Does this vulnerability affect only on-premises deployments or are cloud services also impacted?
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway appliances. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Can I fix this vulnerability using NetScaler Web Application Firewall signatures?
No, it is not possible to fix the vulnerability with NetScaler Web Application Firewall signatures.
How will I know if my device is already compromised?
Cloud Software Group is unable to provide forensic analysis to determine if a system may have been compromised.
What is the CVSS score for this issue?
The CVSS score of CVE-2023-4966 is 9.4.
Are there additional details on the NetScaler ADC and NetScaler Gateway vulnerability that are not in the security bulletin?
No. Cloud Software Group is limiting information to the details contained in its security bulletin.
Does Cloud Software Group provide forensic analysis?Cloud Software Group is unable to provide forensic analysis to determine if a system may have been compromised.
Why did Cloud Software Group not reach out directly to me in advance?
To best protect all of our customers, Cloud Software Group releases security bulletins to customers and the public simultaneously. This is standard industry practice to ensure that all customers can upgrade as soon as possible. We provided notifications to customers who had signed up to receive security bulletins. If you are not receiving NetScaler security bulletins, update your support alert settings.
How can I get support?
If you encounter any issues during your update, please contact Citrix Customer Support. NetScaler and Citrix are both business units of Cloud Software Group, and we share the same ticketing system.
Where can I learn more about this vulnerability?
You can find more details in the security bulletin
How do I stay up to date on the latest security updates?
Sign up for security bulletin notifications.
How do I learn more about reporting any potential security vulnerabilities?
Cloud Software Group welcomes input regarding the security of its products and takes any potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Cloud Software Group, please visit our trust center.
Cloud Software Group is committed to incorporating your feedback as we adapt our communication and customer support offerings. To provide feedback, contact Citrix Customer Support.