According to a security bulletin released by Citrix this month, their recent patches include a fix for a flaw with a CVSS score of 9.4. If that high score wasn’t enough to make you run to patch your device, the flaw has reportedly been exploited as a zero-day in the wild since August 2023, and the exploit has recently been made public!
This frightening vulnerability is CVE-2023-4966 or Citrix Bleed, a sensitive information disclosure flaw found in Citrix NetScaler ADC and NetScaler Gateway when configured as a gateway. According to Mandiant, it has even been used to infiltrate government entities. Citrix recommends that users patch these products immediately, as NetScaler flaws are typically highly exploited. You can use a Patch Management tool to patch them at your convenience.
How does it work?
CVE-2023-4966 can reportedly be used to hijack existing authenticated sessions and bypass multifactor authentication, making it imperative for users to know how to mitigate it. Thanks to Assetnote, we can now access a detailed PoC for this flaw.
It is exploited by causing a buffer overread in the NetScaler Packet Processing Engine (nsppe) binary. It contains two functions – ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config – both used to implement OpenID Connect Discovery. Here is the function structure as it was before the patch:
iVar3 = snprintf(print_temp_rule,0x20000,
"{\"issuer\": \"https://%.*s\", \"authorization_endpoint\": \"https://%.*s/oauth/ idp/login\", \"token_endpoint\": \"https://%.*s/oauth/idp/token\", \"jwks_uri\": \"https://%.*s/oauth/idp/certs\", \"response_types_supported\": [\"code\", \"toke n\", \"id_token\"], \"id_token_signing_alg_values_supported\": [\"RS256\"], \"end _session_endpoint\": \"https://%.*s/oauth/idp/logout\", \"frontchannel_logout_sup ported\": true, \"scopes_supported\": [\"openid\", \"ctxs_cc\"], \"claims_support ed\": [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"auth_time\", \"acr\", \"amr \", \"email\", \"given_name\", \"family_name\", \"nickname\"], \"userinfo_endpoin t\": \"https://%.*s/oauth/idp/userinfo\", \"subject_types_supported\": [\"public\"]}"
,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);
authv2_json_resp = 1;
iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,iVar3);
This function generates an OpenID configuration payload, with snprintf inserting the device hostname and determining how many bytes will be sent to the client. The issue is that while the buffer value should not exceed 0x20000, snprintf returns a byte value that does not depend on the buffer size, with no check to ensure it isn’t too large.
This means that an attacker must simply figure out how to make the response exceed 0x20000 bytes to cause a buffer overread, which will let the memory following the buffer “bleed” into the output. Since the hostname value is taken from the HTTP Host header, the flaw is easily exploitable by sending a request with a Host header larger than 0x20000 bytes.
The patch uses a simple fix, adding a conditional statement checking whether snprintf has exceeded the buffer size.
uVar7 = snprintf(print_temp_rule,0x20000,
"{\"issuer\": \"https://%.*s\", \"authorization_endpoint\": \"https://%.*s/oauth/ idp/login\", \"token_endpoint\": \"https://%.*s/oauth/idp/token\", \"jwks_uri\": \"https://%.*s/oauth/idp/certs\", \"response_types_supported\": [\"code\", \"toke n\", \"id_token\"], \"id_token_signing_alg_values_supported\": [\"RS256\"], \"end _session_endpoint\": \"https://%.*s/oauth/idp/logout\", \"frontchannel_logout_sup ported\": true, \"scopes_supported\": [\"openid\", \"ctxs_cc\"], \"claims_support ed\": [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"auth_time\", \"acr\", \"amr \", \"email\", \"given_name\", \"family_name\", \"nickname\"], \"userinfo_endpoin t\": \"https://%.*s/oauth/idp/userinfo\", \"subject_types_supported\": [\"public\"]}"
,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);
uVar4 = 0x20;
if (uVar7 < 0x20000) {
authv2_json_resp = 1;
iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,uVar7);
...
}
The proof of concept for this vulnerability is available here.
Products Affected
NetScaler ADC and NetScaler Gateway devices configured as a gateway (VPN virtual server, ICA proxy, CVPN, or RDP proxy) or an AAA virtual server (traditional load balancing configurations, etc.) are affected by CVE-2023-4966. Citrix states that devices not configured as the above and other products, such as Citrix SD-WAN, are not affected. Customers using cloud or adaptive authentication services do not need to worry.
Solutions and Mitigations
There are plenty of mitigations for this flaw! Citrix firstly recommends killing all active and persistent sessions with the below commands.
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions
Mitigations are helpful, but the best thing to do is immediately patch your devices. Here is a list of patched versions:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP
If you’re having trouble keeping track of patches, SanerNow Vulnerability Management and SanerNow Patch Management can do it for you! With automatic flaw detection and updates, you no longer need to worry about manual installations. Use SanerNow and keep your systems updated and secure.