Citrix Warns Admin to kill active or persistent sessions to thwart hackers

As previously reported, CVE-2023-4966 was discovered and published by Citrix. This vulnerability affected Citrix NetScaler Gateway and ADC devices. Following this, AssetNote published a proof-of-concept for this vulnerability named “CitrixBleed.”

However, this vulnerability was discovered to be exploited by threat actors in the wild by the middle of October and was added to the Known Exploited Vulnerability Catalogue by the CISA. 

Recently, it was reported that the LockBit ransomware group targets this vulnerability to target Vulnerable Citrix ADCs.

Citrix published a security advisory urging its users to patch this vulnerability and run certain commands to ensure no malicious session is active on the affected devices.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Recommendations from Citrix

Citrix recommended its users to run the following commands after patching the vulnerable version of devices in order to terminate all the active sessions on the device.

kill aaa session -all
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
clear lb persistentSessions

To investigate further on the affected device, Citrix recommends the following steps.

  • Look for patterns of suspicious session use in your organization’s monitoring and visibility tools, particularly relating to virtual desktops.
  • Review the ‘SSLVPN TCPCONNSTAT’ logs that contain mismatching ‘Client_ip’ and ‘Source’ IP addresses
  • Remove these core dumps, located in /var/core, after a forensic investigation on the affected instance to avoid filling the partition.

For NetScaler ADM users, Citrix recommends exploring the security features in ADM like security advisory, Upgrade advisory, and File Integrity monitoring features to reduce the mean time to patch.

A complete report about the investigation recommendation and precautionary steps has been released by Citrix, providing detailed information on the steps and their uses.

It is recommended for Citrix NetScaler users to patch vulnerable instances to prevent them from getting exploited by threat actors.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.