User
Advanced
Verified_Protocol
Citrix

Citrix Bleed: Bypassing MFA & Session Hijacking

"Analyzing the Citrix Bleed (CVE-2023-4966) vulnerability in NetScaler ADC and Gateway."

PopDocs Crew
May 23, 2024
1 MIN

Citrix Bleed (CVE-2023-4966)

Citrix Bleed is a critical information disclosure vulnerability in Citrix NetScaler ADC and Gateway that allows attackers to leak session tokens, bypassing Multi-Factor Authentication (MFA).

The Vulnerability

The vulnerability exists in the way NetScaler handles OAuth requests. By sending a specially crafted request to the /oauth/idp/.well-known/openid-configuration endpoint, an attacker can trigger an out-of-bounds read.

The response includes the contents of memory, which often contains valid session cookies (NSC_AAAC or NSC_TMAS).

Exploit Workflow

  1. Discovery: Identify exposed Citrix Gateway instances.
  2. Token Leak: Send the malicious request and parse the response for session cookies.
  3. Session Replay: Inject the hijacked cookie into a browser and navigate to the Citrix home page. No password or MFA is required.

Post-Exploitation

Attackers often use this initial access to:

  • Enumerate VDI environments.
  • Launch lateral movement within the corporate network.
  • Deploy ransomware or exfiltrate data.

Remediation

  1. Patch Immediately: Apply the security updates provided by Citrix.
  2. Terminate Sessions: Patching alone is NOT enough. You MUST terminate all active and persistent sessions to invalidate existing leaked tokens.
  3. Rotate Secrets: Rotate any secrets or certificates that might have been exposed in memory.
End_Of_Protocol
EOF_0x447553.CA32F928