Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-4966
CVE-2023-4966:
Citrix ADC VPX vulnerability analysis and mitigation
Overview
CVE-2023-4966, also known as Citrix Bleed, is a sensitive information disclosure vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The vulnerability was disclosed on October 10, 2023, with active exploitation observed in the wild by October 17, 2023. The affected products include NetScaler ADC and NetScaler Gateway versions 14.1, 13.1, 13.0, and various FIPS and NDcPP variants (CISA Guidance).
Technical details
The vulnerability is characterized as a buffer overflow vulnerability that allows for sensitive information disclosure, particularly session authentication token information. It received a CVSS v3.1 base score of 9.4 (Critical) from Citrix Systems, Inc., and 7.5 (High) from NIST NVD. The vulnerability enables attackers to read large amounts of memory after the end of a buffer, which includes sensitive session tokens (Rapid7 Blog).
Impact
The exploitation of CVE-2023-4966 allows attackers to obtain session tokens, which can be used to hijack authenticated user sessions. This enables unauthorized access to protected resources and potential impersonation of legitimate users. The vulnerability affects organizations using Citrix NetScaler ADC and Gateway products in gateway configurations (CISA Guidance).
Mitigation and workarounds
Citrix has released security updates to address the vulnerability. Organizations are advised to update to the following versions: NetScaler ADC and Gateway 14.1-8.50 or later, 13.1-49.15 or later, 13.0-92.19 or later, and corresponding FIPS/NDcPP variants. Additionally, administrators should kill all active and persistent sessions using specific commands provided by Citrix, including 'kill icaconnection -all', 'kill rdp connection -all', 'kill pcoipConnection -all', 'kill aaa session -all', and 'clear lb persistentSessions' (CISA Guidance).
Community reactions
The security community has responded actively to this vulnerability, with multiple security firms and researchers publishing analyses and detection guidance. Shadowserver has reported an increase in scanning activities targeting the vulnerable endpoint, indicating growing attention from potential threat actors (Rapid7 Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management