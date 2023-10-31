getty images

A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is ​​being exploited extensively by ransomware hackers despite a patch being available for three weeks.

Citrix Bleed, the common name for the vulnerability, carries a severity rating of 9.4 out of a possible 10, which is a relatively high designation for an information-disclosure-only bug. Reason: The information exposed may include session tokens, which the hardware provides to devices that have already successfully provided credentials, including those that provide MFA. Tracked as CVE-2023-4966 and residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, the vulnerability has been under active exploitation since August. Citrix released a patch on October 10.

Repeat: This is not a drill

Attacks have increased recently, leading security researcher Kevin Beaumont to announce on Saturday: “This vulnerability is now subject to mass exploitation.” He further said, “After talking to many organizations, they are seeing exploitation on a large scale.”

He said that as of Saturday, they had found an estimated 20,000 instances of exploited Citrix devices where session tokens were stolen. He said his estimate was based on running a honeypot of servers that masquerade as vulnerable NetScaler devices to track opportunistic attacks on the Internet. Beaumont then compared those results with other data, including some provided by the NetFlow and Shodan search engines.

Meanwhile, Grenoise, a security company that also deploys honeypots, was showing exploits for CVE-2023-4966 from 135 IP addresses when this post went live on Ars. This is a 27-fold increase from the five IPs Grenois observed five days earlier.

The latest data available from security organization Shadowserver showed that there were approximately 5,500 unpatched devices. Beaumont acknowledged that this estimate contradicts his estimate of 20,000 compromised devices. It was not immediately clear what caused the discrepancy.

The vulnerability is relatively easy to exploit for experienced people. A simple reverse-engineering of the patches released by Citrix shows the functions that are vulnerable, and from there, it is not difficult to write code that exploits them. Making attacks even easier, a handful of proof-of-concept exploits are available online.

In a detailed technical analysis, AssetNote researchers wrote:

We found two functions which were ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config. Both functions perform a similar operation, they implement the OpenID Connect discovery endpoint. The functions are unauthenticatedly accessible via the /oauth/idp/.well-known/openid-configuration and /oauth/rp/.well-known/openid-configuration endpoints, respectively. Both works included the same patch, an additional bounds check before sending the response. This can be seen before and after ns_aaa_oauth_send_openid_config in the snippet below. Original iVar3 = snprintf(print_temp_rule,0x20000, “{\”issuer\”:\”authorization_endpoint\”: \”idp/login\”, \”token_endpoint\”: \”idp/token\”, \”jwks_uri\”: \”idp/certs\”, \”response_types_supported\”: [\”code\”, \”toke n\”, \”id_token\”]\”id_token_signing_alg_values_supported\”: [\”RS256\”]\”end _session_endpoint\”: \”idp/logout\”, \”frontchannel_logout_sup ported\”: true, \”scopes_supported\”: [\”openid\”, \”ctxs_cc\”]\”claim_support version\”: [\”sub\”, \”iss\”, \”aud\”, \”exp\”, \”iat\”, \”auth_time\”, \”acr\”, \”amr \”, \”email\”, \”given_name\”, \”family_name\”, \”nickname\”]\”userinfo_endpoint\”: \”idp/userinfo\”, \”subject_types_supported\”: [\”public\”]}” ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8); authv2_json_resp = 1; iVar3 = ns_vpn_send_response(param_1,0x100040,print_te mp_rule,iVar3); agreement uVar7 = snprintf(print_temp_rule,0x20000, “{\”issuer\”: \” “authorization_endpoint\”:\” idp/login\”, \”token_endpoint\”: \”idp/token\”, \”jwks_uri\ ” : \”idp/certs\”, \”response_types_supported\”: [\”code\”, \”toke n\”, \”id_token\”]\”id_token_signing_alg_values_supported\”: [\”RS256\”]\”end _session_endpoint\”: \”idp/logout\”, \”frontchannel_logout_sup ported\”: true, \”scopes_supported\”: [\”openid\”, \”ctxs_cc\”]\”claim_support version\”: [\”sub\”, \”iss\”, \”aud\”, \”exp\”, \”iat\”, \”auth_time\”, \”acr\”, \”amr \”, \”email\”, \”given_name\”, \”family_name\”, \”nickname\”]\”userinfo_endpoint\”: \”idp/userinfo\”, \”subject_types_supported\”: [\”public\”]}”. 0x100040 ,print_temp_rule,uVar7); … } The function is very simple, it generates a JSON payload for the OpenID configuration and uses snprintf to insert the device’s hostname at the appropriate places in the payload. In the basic version, the response is sent immediately. In the patched version, the response is sent only if snprintf returns a value less than 0x20000. The vulnerability occurs because the return value of snprintf is used to determine how many bytes are sent to the client by ns_vpn_send_response. This is a problem because snprintf does not return how many bytes. Did Write to buffer, how many bytes does snprintf return will be If the buffer was large enough the buffer was written to. To take advantage of this, we just had to figure out how to get the response to exceed the buffer size of 0x20000 bytes. The application will then respond with a completely filled buffer, plus whatever memory is immediately following the print_temp_rule buffer. Endpoint exploitation Initially we thought the endpoint would likely not be exploitable. The only data entered was the hostname, which requires administrator access to configure. Luckily for us, we were wrong and the value inserted into the payload did not come from the configured hostname. This actually comes from the HTTP Host header. We were also lucky that NetScaler inserts the hostname six times into the payload, as this meant we could reach the buffer limit of 0x20000 bytes without any problems because the host header or the entire request was too long. We put together the following request and sent it to our NetScaler instance. /oauth/idp/.well-known/openid-configuration GET HTTP/1.1 HOST: a <24812 बार दोहराया गया> Connection: Close We received the response shown below with the non-printable characters removed. HTTP/1.1 200 OK mode=block content-length: 147441 cache-controls: no-cache, no-store, must-revalidate pragma: no-cache content-type: application/json; charset=utf-8 Pragma: no-cache Content-Type: text/html Set-Cookie: NSC_AAAC=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;safe;HttpOnly;path=/ {“Categories”:[],”resources”:[]”subscriptionEnabled”: false, “username”: null} ð å å PÏÏ H¡ éÒÏ eGÁ”RDFAULT ò #pack200-gzip compressdeflategzip dentity þÿÿÿÿÿ ©VPN_GLOBALÿÿÿÿÿ è”AAA_PARAMí Immediately after the JSON payload we can clearly see a lot of leaked memory. Although most of it was zero bytes, the response contained some suspicious looking information.

Advertisement The name Citrix Bleed is a nod to Heartbleed, a different critical information disclosure vulnerability that turned the Internet on its head in 2014. That vulnerability, which resided in the OpenSSL code library, came under massive exploitation and allowed the theft of passwords, encryption keys, banking credentials, and all kinds of other sensitive information. The citrix bleed is not that terrible because there are fewer vulnerable tools in use.

But the citrix bleed is still pretty bad. Organizations should assume that all NetScaler appliances have been compromised. This means patching any remaining unpatched devices. Then, all credentials should be shuffled to ensure that any leaked session tokens have been invalidated. Finally, organizations should inspect their devices and infrastructure for signs of compromise. Security firm Mandiant has in-depth security guidance here.

Source: arstechnica.com