We're happy to notify you that our team has successfully evaluated the risk related to the vulnerability using the present data. We will keep a close watch on updates and inform you if there's a significant change.
If you have any questions, please do not hesitate to reach out to us.
Yours, Team Axon
Posted Oct 22, 2023 - 06:44 UTC
Identified
Team Axon acknowledges the recent identification of vulnerabilities in Citrix products. On Oct 10th, Citrix announced the discovery of these vulnerabilities in its NetScaler Products. The most severe vulnerability out of the two assigned under CVE-2023-4966, and received a CVS score of 9.4. Successful exploitation of the vulnerability could result in the ability to hijack existing authenticated sessions, resulting in full control of the target Citrix server.
Based on Intelligence and analysis made by the firm Manidant, the vulnerability has been exploited in the wild since early August of this year. The following Rapid Response includes Team Axon recommendations based on the partial details available on the vulnerability so far.
Team Axon recommendations:
* Prioritize immediate patching of affected appliances, an updated list of patched versions is available on Citrix announcement. * In case Patching isn’t possible due to production instances, consider restricting access only to authorized IP addresses until patching.
* Based on artifacts shared by Manidant earlier this week, the exploited session might remain even after patching, In that case, please terminate all sessions post-upgrade and run the CLI command: clear lb persistentSessions
* Rotate credentials for all identities accessing vulnerable appliances (NetScaler ADC and NetScaler Gateway)
* In case of detected web shells or backdoors, rebuild appliances with the latest clean-source image, since the patching won’t remove them.
Threat Hunting Guidelines
* Hunt for suspicious .php web shells that have been written in the last 4 months. The following bash command is written by Axon and can help with finding .php files that have been written to disk in the last 4 months. While the list might be big, we recommend starting from the beginning of the list, which sorts from the latest seen file. The following bash command is written for Debian-based distribution.
find / -name '*.php' -type f -cmin -$((4*30*24*60)) -exec stat --printf='%Y\t%N\n' {} \; | sort -n | cut -f2-
While specific technical information or proof of concept hasn't been made public yet, Axon is intensifying efforts to monitor the landspace to develop a proper threat-hunting plan.
In the meantime, based on the partial information shared online, we assume that the following query, which the team has created for CVE-2023-3519 (an old Citrix vulnerability from the last couple of months) might be relevant for the CVE-2023-4966 vulnerability as well.
The threat-hunting thesis finds suspicious commands executed under NetScaler Service, by leveraging CMD_EXECUTED events for Netscaler audit logs. The query will learn and exclude past commands made by the Netscaler service. We recommend adjusting the learning time (also mentioned in a comment) based on the vulnerability characteristics, prior to Aug 23. You can the threat-hunting query in Axon's RR Github: https://github.com/axon-git/rapid-response/blob/main/Citrix%20RCE%20CVE-2023-3519/suspicious_netscaler_citrix_commands.sql
The team is closely monitoring the threat landspace and will keep our customers updated as needed.