Mitigating Session Hijacking via NetScaler Citrix Bleed Vulnerability

On October the 10th, 2023, Citrix announced Citrix Bleed vulnerability (CVE-2023-4966) impacting NetScaler ADC and NetScaler Gateway appliances. You can read the full announcement from Citrix here.

Following that, the SecurityHQ team have observed multiple malicious activities that were initiated by exploiting this vulnerability.

How this Vulnerability Works

This vulnerability allows an unauthenticated attacker to steal session tokens via a specially crafted request and gain access to the active session of an already active NetScaler user. The session stays active unless the legitimate user gets logged out of NetScaler.

Who is Impacted by this Vulnerability?

Any external facing NetScaler ADC and NetScaler gateway devices with below versions.

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

(List provided by Citrix)

What is the Risk?

The legitimate user’s sessions will be hijacked. Even if Multifactor Authentication (MFA) is enforced for the user, it won’t be able to protect the session. The Attacker can gain access to all resources that the legitimate users have. The actor can create a backdoor to further perform malicious activities. The Ransomware group “LockBit” has already started to use this vulnerability to gain Initial access into Network. The IP used by the actors to hijack sessions are different in each scenario.

How to Detect Suspicious Behavior in 4 Steps

1. Check for event “default SSLVPN TCPCONNSTAT” in NS log file

Source: NetScaler, ‘Citrix ADC 14.1 Syslog Message Reference’

If you observe that the Client IP and Source IP are not same, that is an indication that the session has been hijacked. Some false positive conditions, if both IP belongs to same Subnet or IP belongs to cloud provider services like Zscaler, Microsoft, Palo Alto.

• Check for long running sessions

Check for long running session through the same event “default SSLVPN TCPCONNSTAT” that shows the session end time. Another way is to check for user Logout events by correlating with session ID.

• Check user logging from non-business location

This particular use case will not be applicable for session hijack scenario but in case of compromised credentials case, it will be good to check source geographic country of source IP from “Login” event.

• Monitor POST requests from “httpaccess-vpn” logs

Check for all ‘POST’ requests from “httpaccess-VPN” logs. In successful session hijack scenario, you will see multiple POST request for file path “/var/netscaler/logon/LogonPoint/Authentication/GetUserName”.

Also, in previously released vulnerabilities, Webshells are dropped in NetScaler via POST requests.  

Recommendations to Users

1. Patch the NetScaler to the latest version.
2. Kill all active and persistent sessions.

• kill icaconnection -all

• kill rdp connection -all

• kill pcoipConnection -all

• kill aaa session -all

• clear lb persistentSessions

3. Enforce MFA for all users on NetScaler. It won’t prevent users from getting hijacked but at least it can prevent interactive login in case of credential compromise.

4. Create Use Cases on SIEM tool to detect the session hijack and other suspicious patterns.

5. Block all IOCs provided by Threat Intel platforms.

6. Place the NetScaler behind firewall and country-based restrictions can be enforced.

7. Always have 24X7 SOC monitoring to detect suspicious activities proactively.

If you have any questions regarding implementing the recommendations above, want to know if you have been compromised, or want to know more about how to safeguard against this vulnerability, reach out to SecurityHQ’s Digital Forensics Team, here.