Citrix Bleed Vulnerability

Last Updated:
January 3, 2024

Brief Background of Citrix Bleed

Citrix Bleed, a critical vulnerability in Citrix NetScaler®, has been getting considerable coverage in computing industry publications. This post will provide background about Citrix Bleed and why the story continues to be covered months after the vulnerability was discovered.

Initial Discovery and Mitigation

On July 18, 2023, Cloud Software Group (CSG),  the company resulting from the merger of Citrix® and TIBCO® in 2022, announced three critical vulnerabilities discovered in customer-managed NetScaler® ADC and NetScaler Gateway as a Security Bulletin in the Citrix Knowledge Center. According to the bulletin, the most critical vulnerability, CVE-2023-3519, had already been exploited.

At that time, CSG recommended that updated versions of NetScaler ADC and Gateway software be installed on unmitigated appliances and also released security updates, urging customers to apply the patches as soon as possible.

On July 20, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), part of the United States Department of Homeland Security (DHS), issued a Cybersecurity Advisory acknowledging that CVE-2023-3519 had been exploited against a U.S. critical infrastructure organization in June 2023 and reported to CISA in July. (NOTE: CVE identifiers are assigned by one of approximately 100 CVE Numbering Authorities (CNAs); MITRE Corporation is the Editor and primary CNA for the organization.)

In this exploit, the hackers dropped a web shell (malware that allows remote access to a web server) on the organization’s NetScaler ADC appliance. That act enabled the hackers to steal data from the organization’s Active Directory (AD), including information about users, groups, applications and devices on the network.

Luckily, the appliance targeted was isolated within the organization’s network, so the hackers were unable to compromise the domain controller, which provides authentication and authorization services for the AD domain. The organization was able to fend off the hackers and limit the attack.

At that time, the Shadowserver Foundation estimated that more than 15,000 Citrix servers located worldwide risked compromise unless patches were applied.

Evolution to Citrix Bleed

On October 10, 2023, CSG disclosed a new vulnerability in customer-managed NetScaler ADC and NetScaler Gateway devices. This vulnerability, assigned the identifier CVE-2023-4966, was given the common name Citrix Bleed, which alludes to a notorious 2014 vulnerability called Heartbleed, which was exploited extensively and allowed hackers to steal sensitive information like passwords, encryption keys, and banking credentials.

Citrix Bleed allows remote unauthenticated attackers to extract data from a vulnerable NetScaler device’s memory, including sensitive session tokens. Alarmingly, leveraging the vulnerability is fairly simple and enables a hacker to take control of the network managed by the NetScaler device and use session tokens that authenticate user requests and enable access to user data without needing a password or using two-factor authentication.

CSG issued patches for Citrix Bleed, but on October 17th updated its security advisory to disclose that it had observed exploitation in the wild—i.e., evidence that the vulnerability was already being leveraged at many organizations. In fact, some cyber security firms detected the vulnerability being exploited as early as late-August.

Citrix Bleed Exploits are Probably Ongoing

As of this writing, many sizeable organizations have disclosed security breaches enabled by Citrix Bleed, including Boeing and Xfinity. There are several threat groups actively working to continue exploiting Citrix Bleed to acquire sensitive information to sell, hold for ransom, or leverage as part of an intelligence-gathering operation. And, as long as these groups continue to leverage Citrix Bleed, industry media will continue to cover the resulting breaches.

Why are these groups still seeking to exploit Citrix Bleed? As noted above, Citrix Bleed is easy to exploit if an organization has neglected to apply the appropriate patch—but, in addition to applying the patch, IT must also invalidate active and persistent session tokens prior to rebooting the device. That invalidation prevents a hacker from accessing valid session tokens in memory and using them to take control of active sessions and access sensitive user information.

Because Citrix Bleed is so easy to exploit, any organization using NetScaler should assume that their device(s) have been compromised, ensure that all appropriate patches have been applied and session tokens are invalidated. Additionally, IT should scrutinize all network devices and entire infrastructure for signs of compromise—a number of security firms have published free detailed security guidance to help.

What Next?

For Citrix customers—particularly those utilizing NetScaler in their computing infrastructure—Citrix Bleed hasbeen a harrowing experience. As a result, some of them may question whether Citrix’ recent acquisition and merger with TIBCO distracted the NetScaler product team and slowed their recognition of several critical security flaws in their products. Some Citrix/CSG customers may wonder if other elements of Citrix/CSG’s highly-complex infrastructure could be at risk.

If you’re an ISV or MSP that’s reevaluating your use of Citrix to deliver Windows applications to customers, or wants to reduce your end user computing infrastructure complexity, or cut your cost for delivering Windows applications, consider GO-Global.

With GO-Global application publishing, Windows applications run on a server, which can be installed in any public, private, or hybrid cloud. GO-Global then leverages your cloud services’ existing infrastructure and security and scalability features to deliver advanced functionality with less complexity, lower cost, and lower risk.

For security-conscious organizations, GO-Global supports two-factor authentication and is the only Windows application publishing solution that provides Single Sign-On support for OpenID® Connect (OIDC), which enables organizations to use OIDC identity providers like Okta® and Microsoft® Active Directory Federated Services (ADFS) for single sign-on into GO-Global Windows hosts.

Despite its low cost, GO-Global delivers enterprise-level scalability but is easy to install, configure, and use, and provides a great user experience, including fast logins and minimal latency, even over low-bandwidth connections.

Reduce complexity. Reduce cost. Reduce risk.

Get GO-Global.

To learn more, request a demo here or download a free 30-day trial.