Critical Citrix NetScaler bug needs more than patches

By

Updated systems might still be exploited, says Mandiant.

The critical bug in some Citrix NetScaler products patched last week remains under exploitation, according to security researchers from Mandiant.

Critical Citrix NetScaler bug needs more than patches

The Google subsidiary said post-patch, additional steps such as password resets are required to block attackers who accessed vulnerable systems.

The vulnerability, CVE-2023-4966, was patched last week, but Mandiant’s analysis said more work is needed.

Zero-day exploits have existed since late August, the security company said, giving attackers “the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements.”

Mandiant’s other key finding was “session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor.”

In other words, deploying the patch didn’t lock out attackers who had already accessed a system.

“The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted," Mandiant said.

"A threat actor could utilise this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment."

Mandiant said additional post-patch steps required to block such attackers include terminating all active and persistent sessions; rotating credentials; rebuilding any devices from a clean image if they show evidence web shells or backdoors; and restricting ingress access to trusted IP addresses.

Citrix has updated its original advisory to reflect the existence of exploits.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?