Customer portal
Articles Tagged with

Citrix vulnerability

"ivanti"/
Flash Alert

Flash Alert – Further vulnerabilities reported in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA

by Daniel Collyer
February 1, 2024

Two new vulnerabilities have been disclosed by Ivanti, relating to their Connect Secure, Policy Secure and Neurons for ZTA products and services.

Ivanti Connect Secure & Ivanti Policy Secure

CVE-2024-21888

CVSS: 8.8 HIGH

Ivanti has disclosed a further vulnerability affecting their Connect Secure and Policy Secure solutions.  Impacting all currently supported versions (9.x and 22.x), the vulnerability allows a user (malicious or otherwise) to elevate their current privileges to that of an administrator.

Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA

CVE-2024-21893

CVSS: 8.2 HIGH

A server-side vulnerability exists in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA.  When exploited, a threat actor could access certain restricted resources without needing to authenticate.

While no threat actor use of CVE-2024-21888 has yet been discovered, there has been limited, targeted use of CVE-2024-21893. Following the disclosure of these vulnerabilities, exploitation of impacted services is suspected to increase.  Therefore, it is vital that the affected services are fully patched and updated to mitigate any risks.

The release of these vulnerabilities follows Ivanti’s research into vulnerabilities disclosed earlier in the month, CVE-2023-46805 and CVE-2024-21887 (previously reported here).  Given the volume of vulnerabilities coming from Ivanti at this time, it is expected that threat actors will put an increased focus on identifying more in order to exploit vulnerable users.

"Ivanti"/
Flash Alert

Flash Alert – Vulnerabilities reported in Ivanti ICS, Ivanti Policy Secure and Citrix NetScaler

by Daniel Collyer
January 18, 2024

In the past week, the following vulnerabilities have been disclosed, affecting:

  • Ivanti ICS
  • Ivanti Policy Secure
  • Citrix NetScaler ADC
  • Citrix NetScaler Gateway

Ivanti ICS & Ivanti Policy Secure

CVE-2023-46805

CVSS: 8.2 HIGH

CVE-2024-21887

CVSS: 9.1 CRITICAL

Ivanti has disclosed the existence of two significant vulnerabilities affecting their Connect Secure and Policy Secure gateways, specifically versions 9.x and 22.x.

CVE-2023-46805 is an authentication bypass vulnerability, which allows a threat actor to remotely access restricted resources by bypassing control checks.  CVE-2024-21887 is a command injection vulnerability, granting an authenticated user the ability to send specially crafted requests and execute arbitrary commands on the vulnerable device.

When utilised together, a threat actor can compromise a vulnerable device and execute code with admin rights, leaving the victim company open to a significant risk of network intrusion and further criminal activity.

Palo Alto’s Unit 42 has observed over 30,000 vulnerable devices spread across 141 countries. It is actively responding to incidents involving these vulnerabilities, highlighting their use by threat actors in the wild.

Ivanti is currently working on patches to fix these vulnerabilities.  In the meantime, it is recommended that the mitigations they have suggested are implemented to avoid unnecessary risk.  These can be found here.

Citrix NetScaler ADC & Citrix NetScaler Gateway

CVE-2023-6548

CVSS: 5.5 MEDIUM

CVE-2023-6549

CVSS: 8.2 HIGH

Citrix has identified and disclosed further vulnerabilities in its NetScaler ADC and NetScaler Gateway products.  The following supported versions are affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302*
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302*

*NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable

CVE-2023-6548 allows a threat actor authenticated, low-privileged access to remotely execute code on the management interface of a compromised device.  This requires them to have access to the NSIP, CLIP or SNIP which itself has management interface access.

CVE-2023-6549 applies to appliances configured as one of the following:

  • VPN virtual servers
  • ICA proxies
  • CVPNs
  • RDP proxies
  • AAA virtual servers

Exploitation of this vulnerability involves a threat actor restricting operations within the memory buffer, thereby causing an unauthenticated Denial of Service attack.

A patch will follow in due course, but in the meantime, Citrix recommends the following:

  • Ensure network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic
  • Ensure the management interface is not exposed to the internet
  • Ensure all previous patches are installed and software is up-to-date

Citrix has noted that these vulnerabilities have been observed in the wild and targeted by threat actors.

"managed
Flash Alert

Flash Alert – CitrixBleed victim with impacts on UK legal sector

by Daniel Collyer
November 27, 2023

CVE-2023-4966

CVSS: 9.4

In October 2023 we reported on an observation of a threat actor exploiting CVE-2023-4966, a vulnerability in Citrix NetScaler since dubbed CitrixBleed.  Further information on that report can be found here.

This vulnerability allows threat actors to hijack existing, authenticated sessions and bypass multi-factor authentication. As a result, they could fully control NetScaler environments, and therefore manage and control application delivery.

We’d previously stated an expectation that this vulnerability would continue to be exploited, banking on a slow patch rate, and this prediction appears to have been correct. In the last week, it has been reported that managed service provider (MSP) CTS has suffered a significant cyberattack as a result of CitrixBleed.

CTS provides IT services for the UK legal sector.  As a result of the attack, it is estimated that up to 200 UK firms and offices have been significantly impacted, resulting in a loss of access to systems and databases crucial for them to function. The incident was first noted on Wednesday (22nd November 2023) and continued into the weekend. This has had a significant impact on property buyers, with Fridays being the busiest days for purchase completions.

There is limited information available regarding the overall scope of the attack against CTS, but it has been suggested that ransomware had been deployed, which we will continue to monitor for. It is unknown whether any sensitive or confidential information has been impacted, but the incident has been reported to the ICO.

The targeting of an MSP at this time is significant. The UK Government has decided to not include an update to the NIS Regulations within the most recent King’s Speech, meaning that these will likely not be considered until after the next general election in 2024. Updating these regulations would treat MSPs as critical infrastructure, and encourage them to focus on and improve their own cybersecurity and defences in order to prevent supply chain attacks.  In the foreword to the UK Government’s “Proposal for legislation to improve the UK’s cyber resilience”,  Julia Lopez MP, Minister of State for Media, Data, and Digital Infrastructure stated:

“an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services,”

This is not the first such attack against an MSP in the UK.  In August 2022, IT supplier Advanced was targeted with ransomware, which had a serious impact on the NHS’s ability to deliver care.  In January 2023 the UK National Cyber Security Centre (NCSC) issued a warning regarding the use of MSP’s, and that use of their services would increase an organisation’s attack surface.  An MSP with access to multiple clients makes them a “juicy target” for threat actors wanting to cause as much disruption as possible.

Photo by Tingey Injury Law Firm on Unsplash.

"Citrix
Flash Alert

Flash Alert – Citrix vulnerability being exploited in the wildFlash Alert –

by Daniel Collyer
July 19, 2023

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

Cloud-computing company Citrix has begun alerting customers as to a critical vulnerability in its Netscaler ADC and NetScaler gateway applications.  CVE-2023-3519 has been observed being exploited in the wild, and all users of the affected applications are being urged to ensure recent updates and patches are installed.

For a threat actor to utilise this vulnerability, a vulnerable appliance would need to be configured as a gateway (e.g. CVPN, ICA Proxy, RDP Proxy, VPN virtual server) or as an authentication virtual server (AAA server)

Identified through our OSINTSEARCH tool, exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on the cybercrime forum XSS:
 

And with translation…

Citrix strongly advises its customers to switch to updated versions that fixes this issue:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Citrix customers can begin researching any potential compromise by identifying web shells that are newer than the last installation date of Citrix software. HTTP error logs may also reveal anomalies indicative of initial exploitation. SysAdmins should also review shell logs for any unexpected commands, which may be indicative of the post-exploitation phase of an attack.

Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save