{"id":174259578,"date":"2023-11-20T13:00:36","date_gmt":"2023-11-20T13:00:36","guid":{"rendered":"https:\/\/www.netscaler.com\/blog\/?p=174259578"},"modified":"2023-11-20T17:30:25","modified_gmt":"2023-11-20T17:30:25","slug":"netscaler-investigation-recommendations-for-cve-2023-4966","status":"publish","type":"post","link":"https:\/\/www.netscaler.com\/blog\/news\/netscaler-investigation-recommendations-for-cve-2023-4966\/","title":{"rendered":"NetScaler investigation recommendations for CVE-2023-4966\u00a0"},"content":{"rendered":"\n

On October 10, 2023, NetScaler published a security bulletin for CVE-2023-4966 \u2014 now dubbed by some as \u201cCitrixBleed\u201d  \u2014 that affects customer-managed NetScaler ADC and NetScaler Gateway. This critical vulnerability was discovered by our internal team. At the time we published the security bulletin, we were unaware that this vulnerability had been exploited in the wild, and we recommended that customers upgrade as soon as possible to an updated version released simultaneously with the security bulletin to resolve this critical issue.<\/p>\n\n\n\n

In the NetScaler blog post on CVE-2023-4966<\/a> published on October 23, 2023, we shared that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Mandiant both reported that this vulnerability had been exploited by threat actors, leading to session hijacking. We also shared remediation guidance for clearing sessions immediately. We continued to encourage customers that had not patched to do so urgently. We also relayed important information concerning exploit reports from CISA and Mandiant.<\/p>\n\n\n\n

Until mid-October, we understood from public reporting and through very limited support cases that exploitation of CVE-2023-4966 was targeted and limited in nature. However, we learned of a concerning development when, on October 25, Shadowserver Foundation, a non-profit internet monitoring organization, posted on X (formerly known as Twitter) that there was a sharp increase in attempts to exploit this vulnerability in unpatched NetScaler ADCs.<\/p>\n\n\n\n

Now the media is reporting that the LockBit ransomware group is targeting unpatched NetScaler ADCs. <\/p>\n\n\n\n

We strongly urge NetScaler customers to review the security bulletin<\/a>, our October 23 blog post<\/a>, CISA guidance<\/a>, and Mandiant\u2019s blogs on remediation<\/a> and investigation<\/a>, and patch immediately.<\/p>\n\n\n\n

Next step after upgrading<\/h2>\n\n\n\n

If you are using any of the affected builds listed in the security bulletin<\/a>, you should upgrade immediately by installing the updated versions. After you upgrade, we recommend that you remove any active or persistent sessions using the following commands:<\/p>\n\n\n\n

kill aaa session -all\n\nkill icaconnection -all\n\nkill rdp connection -all\n\nkill pcoipConnection -all\n\nclear lb persistentSessions<\/code><\/pre>\n\n\n\n
Note: <\/strong>Please ensure that the formatting remains intact as you copy and paste these commands.<\/em><\/p>\n\n\n\n
Investigation recommendations<\/h2>\n\n\n\n
From our engagements with impacted customers, we\u2019re developing recommendations for investigations of exploits of CVE-2023-4966:<\/p>\n\n\n\n
    \n
  1. Look for patterns of suspicious session use in your organizations\u2019 monitoring and visibility tools, particularly relating to virtual desktops if you have these configured.<\/li>\n<\/ol>\n\n\n\n
      \n
    1. If you are forwarding NetScaler\u2019s logs<\/a> to a syslog server, review these for \u2018SSLVPN TCPCONNSTAT\u2019 logs that contain mismatching \u2018Client_ip\u2019 and \u2018Source\u2019 IP addresses. Note that there are legitimate scenarios where this might occur, such as a roaming user. <\/li>\n<\/ol>\n\n\n\n
        \n
      1. Review the \u2018SSLVPN TCPCONNSTAT\u2019 logs for the same \u2018Source\u2019 IP address accessing the sessions of multiple users (you can refer to the \u2018User\u2019 field in the log).<\/li>\n<\/ol>\n\n\n\n
          \n
        1. Finally, if you are conducting your own forensic investigation on an unpatched instance, see NetScaler product documentation on collecting memory snapshots of the NSPPE process<\/a>. Note that this will require at least 5GB of space<\/a> on your NetScaler ADC, and more in some configurations. You should remove these core dumps, located in \/var\/core, afterwards to avoid filling the partition, which is needed for normal operation. Careful analysis of the memory snapshots of the unpatched instances would help identify if there have been any exploitation attempts.<\/li>\n<\/ol>\n\n\n\n
          Improved vulnerability management with ADM<\/h2>\n\n\n\n
          If you use NetScaler Application Delivery Management (ADM), this is an ideal time to explore the security features in ADM. The first two features below can help reduce your mean time to patch, which we believe is critical in the current threat landscape:<\/p>\n\n\n\n