Serious vulnerabilities in Citrix NetScaler and WinRAR are currently being exploited by threat actors targeting various entities, including government organizations.
Researchers recently revealed active exploitation of CVE-2023-4966 in Citrix’s NetScaler ADC and Gateway appliances, while Google’s TAG has identified government-backed hacking groups exploiting CVE-2023-38831 in WinRAR. Attackers have exploited these vulnerabilities as zero-days, targeting users of NetScaler appliances to hijack their sessions, and users of WinRAR to execute arbitrary code and infect systems with malware.
In this blog post, we will explore the details of these vulnerabilities in NetScaler appliances and WinRAR, as well as available mitigation methods. We aim to provide a comprehensive understanding of the NetScaler and WinRAR vulnerabilities, shed light on the threat actors behind their exploitation, and guide readers through the latest developments in the cyber threat landscape.
Critical NetScaler ADC and Gateway Vulnerability Exploited Since Mid-2023 to Hijack Sessions (CVE-2023-4966)
Last week, Citrix has released an advisory addressing two vulnerabilities found in NetScaler ADC and Gateway appliances. These vulnerabilities, known as CVE-2023-4966 and CVE-2023-4967, are related to unauthenticated buffers. CVE-2023-4966 can lead to the disclosure of sensitive information, while CVE-2023-4967 may result in a Denial-of-Service (DoS) situation.
Most recently, Mandiant has revealed that CVE-2023-4966 has been actively exploited in the wild since August, as a zero-day issue.
Which Versions of Citrix NetScaler ADC and Gateway Are Vulnerable?
The vulnerability affects the following versions of NetScaler ADC and Gateway appliances:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Citrix has emphasized that NetScaler ADC and NetScaler Gateway version 12.1 have reached their End-of-Life (EoL) status and are also vulnerable to this critical security issue, meanwhile customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication remain unaffected.
How Critical Are the Vulnerabilities?
The first vulnerability carries a CVSS score of 9.4 (7.5 on NVD) and has been exploited in the wild as a zero-day issue. The second vulnerability is also of high severity, with a CVSS score of 8.2.
To exploit these vulnerabilities, there is a specific requirement: the affected appliances must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
“Exploits of CVE-2023-4966 on unmitigated appliances have been observed,” Citrix notes in the updated advisory. This underscores the urgency for Citrix customers to promptly apply the necessary patches to mitigate these vulnerabilities.
What Could the Exploitation of CVE-2023-4967 in NetScaler ADC and Gateway Appliances Lead to?
Researchers at Mandiant have detected zero-day exploitation of CVE-2023-4967 in the wild, commencing in late August 2023. Organizations in the professional services and technology sectors, along with government organizations, have been specifically targeted.
Upon exploitation, attackers can hijack authenticated sessions, effectively bypassing Multi-Factor Authentication (MFA) and other robust authentication measures. It is crucial to note that sessions compromised by an attacker might persist even after applying the patch designed to address CVE-2023-4966. Furthermore, Mandiant reports that in some observed instances, session data was pilfered before the patch deployment, and subsequently leveraged by threat actors.
The risk associated with the exploit may further escalate, based on the permissions and access scope granted to the affected identity or session. The greater the level of privileges, the more threat actors possess the ability to collect additional credentials, move laterally within the network, and potentially gain access to further resources within the environment.
Vulnerability card for CVE-2023-4966 on SOCRadar platform.
You can access all updates related to this vulnerability through SOCRadar’s Vulnerability Intelligence module. Additionally, you can utilize this module to search for other identified vulnerabilities, access detailed information about them, and monitor associated threat activities.
How to Protect NetScaler ADC and Gateway Appliances Against CVE-2023-4966?
Customers using NetScaler ADC and Gateway are strongly encouraged to install the relevant updated versions as soon as possible to prevent exploitation:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
For further guidance on patching CVE-2023-4966, refer to Citrix’s official advisory.
While patching is the best approach, Mandiant has provided a document outlining alternative measures that can be applied if an immediate update is not possible:
- Enforce ingress IP address restrictions on vulnerable appliances to limit exposure, restrict access to trusted or predefined source IP address ranges to reduce external attack exposure.
- After upgrading, terminate all active and persistent sessions per appliance. Use the Command-Line Interface (CLI), connect to your appliance and run the command: clear lb persistentSessions <vServer>
- Rotate credentials for identities accessing resources through a vulnerable NetScaler ADC or Gateway appliance. In the presence of suspicious activity or lateral movement, prioritize credential rotation for a broader range of identities.
- If web shells or backdoors are found on NetScaler appliances, rebuild them using a clean-source image with the latest firmware. If restoring from a backup image is necessary, review the backup configuration to ensure there are no backdoors.
Nation-State Threat Actors Exploit WinRAR Zero-Day Vulnerability in Campaigns Targeting Government Organizations (CVE-2023-38831)
Google’s Threat Analysis Group (TAG) recently detected government-backed hacking groups exploiting a known vulnerability, CVE-2023-38831 (CVSS score: 7.8, High severity), in file archive tool WinRAR.
RARLabs released an updated WinRAR version in August 2023 that fixed several security bugs, including CVE-2023-38831. This vulnerability causes unintended file expansion when handling certain archives, allowing attackers to execute arbitrary code when users open harmless files within ZIP archives.
According to Google, the vulnerability was exploited as a zero-day by threat actors since at least April 2023, targeting financial traders and distributing various commodity malware families. Following its disclosure, Proof-of-Concept (PoC) exploits and exploit generators quickly surfaced on GitHub, with testing activity observed from financially motivated and Advanced Persistent Threat (APT) actors experimenting with CVE-2023-38831.
What is the WinRAR Vulnerability About? (CVE-2023-38831)
When a user double-clicks on a innocuous looking “poc.png_” file in WinRAR prior to version 6.23, it executes “poc.png_.cmd” instead. This happens because WinRAR mistakenly extracts both the selected file and files inside a matching directory to a random temporary folder when determining which files to expand.
WinRAR then normalizes the file path, removing appended spaces, and attempts to execute the user-selected file with a trailing space in the path. This triggers an unexpected behavior in ShellExecute, where it looks for file extensions and ends up executing the first file it finds with an extension like “.pif, .com, .exe, .bat, .lnk, .cmd.”
This quirk in ShellExecute causes “poc.png_.cmd” to be executed, even though the user initially double-clicked on a different file. The issue is not limited to trailing spaces; any space in the file extension can trigger this vulnerability.
Vulnerability card for CVE-2023-38831 on SOCRadar platform.
Campaigns Exploiting CVE-2023-38831 in WinRAR
Google TAG reports that threat actors have utilized this vulnerability in multiple campaigns targeting various organizations:
- FROZENBARENTS (aka SANDWORM), associated with the Russian GRU, impersonated a Ukrainian drone warfare training school in a recent campaign. They used an email lure to deliver a benign PDF document along with a malicious ZIP file exploiting CVE-2023-38831. The payload was a Rhadamanthys infostealer, a commercially available tool, which Google reports is unusual for this group.
- FROZENLAKE (aka APT28), also attributed to Russian GRU, targeted Ukrainian government organizations in a spear-phishing campaign using CVE-2023-38831. They used a free hosting provider to serve the exploit, redirecting users to a mockbin site to verify their location before delivering the malicious file. The decoy document was an event invitation from Razumkov Centre, a Ukrainian think tank.
- FROZENLAKE introduced a new technique in their toolkit by using an exploit file named “IOC_09_11.rar” to create a reverse SSH shell and execute an IRONJAW script via PowerShell. IRONJAW steals browser login data and local state directories, exfiltrating them to a command and control server.
- ISLANDDREAMS (aka APT40), a group linked to China, exploited CVE-2023-38831 in a campaign targeting Papua New Guinea. Their phishing emails included a Dropbox link to a ZIP archive containing the exploit, a password-protected decoy PDF, and an LNK file.
Google advises organizations and users to keep their software up-to-date. For more information and available Indicators of Compromise (IoCs) on the threat actors known to have exploited the vulnerability, visit Google’s analysis of the WinRAR vulnerability. You can find WinRAR updates here.
Proactively Defend Against Exploitation with SOCRadar’s Attack Surface Management
SOCRadar provides continuous monitoring of security vulnerabilities, offering timely intelligence essential for safeguarding organizational assets. With the Attack Surface Management (ASM) module, you can access critical information about vulnerabilities impacting your assets and streamline patch prioritization for effective protection.
SOCRadar’s ASM
The post Zero-Day Vulnerabilities in Citrix NetScaler and WinRAR Are Under Active Exploitation (CVE-2023-4966, CVE-2023-38831) appeared first on SOCRadar® Cyber Intelligence Inc..
Article Link: Zero-Day Vulnerabilities in Citrix NetScaler and WinRAR Are Under Active Exploitation (CVE-2023-4966, CVE-2023-38831)