Vulnerability Details : CVE-2023-4966
Public exploit exists!
Used for ransomware!
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.
Products affected by CVE-2023-4966
- Citrix » Netscaler Application Delivery Controller » Fips EditionVersions from including (>=) 13.1 and before (<) 13.1-37.164cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
- Citrix » Netscaler Application Delivery Controller » Fips EditionVersions from including (>=) 12.1 and before (<) 12.1-55.300cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
- Citrix » Netscaler Application Delivery Controller »Versions from including (>=) 13.1 and before (<) 13.1-49.15cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
- Citrix » Netscaler Application Delivery Controller » Ndcpp EditionVersions from including (>=) 12.1 and before (<) 12.1-55.300cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
- Citrix » Netscaler Application Delivery Controller »Versions from including (>=) 14.1 and before (<) 14.1-8.50cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
- Citrix » Netscaler Application Delivery Controller »Versions from including (>=) 13.0 and before (<) 13.0-92.19cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
- cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
CVE-2023-4966 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
CISA required action:
Apply mitigations and kill all active and persistent sessions per vendor instructions [https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/] OR discontinue use of the product if mitigations are unavailable.
CISA description:
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Notes:
https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/, https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 ; https://nvd.nist.gov/vuln/detail/CV
Added on
2023-10-18
Action due date
2023-11-08
Exploit prediction scoring system (EPSS) score for CVE-2023-4966
95.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2023-4966
-
Citrix ADC (NetScaler) Bleed Scanner
Disclosure Date: 2023-10-25First seen: 2023-10-31auxiliary/scanner/http/citrix_bleed_cve_2023_4966This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found. Authors: - Dylan Pindur - Spencer McIntyre
CVSS scores for CVE-2023-4966
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
9.4
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
3.9
|
5.5
|
Citrix Systems, Inc. |
CWE ids for CVE-2023-4966
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: secure@citrix.com (Secondary)
References for CVE-2023-4966
-
https://support.citrix.com/article/CTX579459
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967Vendor Advisory
-
http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leakage-Proof-Of-Concept.html
Citrix Bleed Session Token Leakage Proof Of Concept ≈ Packet StormThird Party Advisory;VDB Entry
Jump to