Citrix NetScaler takeovers possible with new exploit

Vulnerable Citrix NetScaler Application Delivery Controller and NetScaler Gateway instances impacted by the recently remediated critical severity Citrix Bleed information disclosure bug, tracked as CVE-2023-4966, could have their authentication session cookies stolen and be hijacked through a new proof-of-concept exploit discovered by Assetnote researchers, reports BleepingComputer. Analysis of both unpatched and patched NetScaler versions revealed 50 function changes, with two functions using "snprintf" found to perform further bounds monitoring prior to response generation, noted Assetnote researchers. Exploitation of unpatched instances showed HTTP Host header as the source of the payload generating hostname value, indicating access even without administrator privileges, and that surpassing the buffer limit to force response to the contents of the buffer and memory was likely. "We could clearly see a lot of leaked memory immediately following the JSON payload. While a lot of it was null bytes, there was some suspicious-looking information in the response," said Assetnote. Availability of the PoC exploit is expected to result in more attacks aimed at Citrix NetScaler devices.