Critical Citrix NetScaler bug needs more than patches

The critical bug in some Citrix NetScaler products patched last week remains under exploitation, according to security researchers from Mandiant.

The Google subsidiary said post-patch, additional steps such as password resets are required to block attackers who accessed vulnerable systems.

The vulnerability, CVE-2023-4966, was patched last week, but Mandiant’s analysis said more work is needed.

Zero-day exploits have existed since late August, the security company said, giving attackers “the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements.”

Mandiant’s other key finding was “session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor.”

In other words, deploying the patch didn’t lock out attackers who had already accessed a system.

“The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted," Mandiant said.

"A threat actor could utilise this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment."

Mandiant said additional post-patch steps required to block such attackers include terminating all active and persistent sessions; rotating credentials; rebuilding any devices from a clean image if they show evidence web shells or backdoors; and restricting ingress access to trusted IP addresses.

Citrix has updated its original advisory to reflect the existence of exploits.