Threat Signal ReportCitrix NetScaler ADC and Gateway Buffer Overflow Vulnerability (CVE-2023-4966)
Description
| What is the Attack? |
According to the blog published by Citrix, CVE-2023-4966 is a buffer overflow vulnerability that can result in unauthorized data disclosure on Citrix NetScaler ADC and NetScaler Gateway products.
These products when configured as a gateway or as an authentication, authorization and auditing (AAA) virtual servers have this particular weakness. The advisory also states that the vulnerability is rated critical, and no workarounds are available. Only an upgrade to the affected products can mitigate the attack. |
| Why is this Significant? |
This is significant because the Citrix blog acknowledged that CVE-2023-4966 has been exploited in the wild. Also, CISA added the vulnerability to the Known Exploited Vulnerabilities Catalog on Oct 18th.
The vulnerability was discovered earlier by their internal team and the advisory and related patches were published on Oct 10th. FortiGuard Labs has available protection for the vulnerability and seeing several thousand attempts to exploit the vulnerability. |
| What is the Vendor Solution? |
Citrix released relevant updates to the affected products since Oct 10th.
|
| What FortiGuard Coverage is available? |
FortiGuard Labs has an IPS signature "HTTP.Header.Overly.Long.Host.Field.Value (with default action is set to "block") in place for CVE-2023-4966.
FortiGuard Labs advises users to install the relevant updated version of NetScaler ADC and NetScaler as soon as possible. |
Outbreak Alert
CVE-2023-4966 is being widely exploited, with multiple threat actors, including ransomware groups, targeting internet-accessible NetScaler ADC and Gateway instances. After exploiting CVE-2023-4966, the attackers may engage in network reconnaissance, stealing account credentials and moving laterally via RDP.
Telemetry
✖
