Citrix Bleed: Bypassing MFA & Session Hijacking
"Analyzing the Citrix Bleed (CVE-2023-4966) vulnerability in NetScaler ADC and Gateway."
Citrix Bleed (CVE-2023-4966)
Citrix Bleed is a critical information disclosure vulnerability in Citrix NetScaler ADC and Gateway that allows attackers to leak session tokens, bypassing Multi-Factor Authentication (MFA).
The Vulnerability
The vulnerability exists in the way NetScaler handles OAuth requests. By sending a specially crafted request to the /oauth/idp/.well-known/openid-configuration endpoint, an attacker can trigger an out-of-bounds read.
The response includes the contents of memory, which often contains valid session cookies (NSC_AAAC or NSC_TMAS).
Exploit Workflow
- Discovery: Identify exposed Citrix Gateway instances.
- Token Leak: Send the malicious request and parse the response for session cookies.
- Session Replay: Inject the hijacked cookie into a browser and navigate to the Citrix home page. No password or MFA is required.
Post-Exploitation
Attackers often use this initial access to:
- Enumerate VDI environments.
- Launch lateral movement within the corporate network.
- Deploy ransomware or exfiltrate data.
Remediation
- Patch Immediately: Apply the security updates provided by Citrix.
- Terminate Sessions: Patching alone is NOT enough. You MUST terminate all active and persistent sessions to invalidate existing leaked tokens.
- Rotate Secrets: Rotate any secrets or certificates that might have been exposed in memory.