Citrix has urged system administrators to apply patches addressing a critical vulnerability that has been exploited in the wild.
Tracked as CVE-2023-4966, the flaw is a buffer overflow issue that could lead to remote code execution. Successful exploitation of the bug requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAAvirtualserver. According to cybersecurity firm Mandiant, CVE-2023-4966 has been exploited as a zero-day vulnerability since late August of this year.
Citrix said that at the time of disclosure it was not aware of any exploitation attempts but now it has evidence that the flaw has been exploited for session hijacking.
“If you are using affected builds and have configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, we strongly recommend that you immediately install the recommended builds because this vulnerability has been identified as critical,” the company advised, noting that there is no workarounds for the vulnerability.
Citrix has also recommended killing all active and persistent sessions using the following commands:
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions