I. Overview

In the case of the attack on the Industrial and Commercial Bank of China’s U.S. subsidiary, the possible attack chain includes:

• External attackers exploited a vulnerability announced by Citrix, but the enterprise did not repair or take offline devices with the vulnerable version during the opportunity window.
• Utilized attack tools to exploit this vulnerability and gain control of network devices.
• Conducted lateral movement within the network, controlling other devices and servers, and acquiring highly sensitive data and files.
• Employed various methods to avoid detection by security software, ensuring their activities remained undiscovered.

This article primarily explains how external attackers broke through network boundaries to invade the corporate internal network from the external network and carry out a network ransomware attack, without delving into the technical details of the ransomware.

II. Background

CVE-2023-4966, commonly known as “Citrix Bleed,” is a significant vulnerability discovered in Citrix NetScaler ADC and NetScaler Gateway.

III. Vulnerability Disclosure Process

Understanding Citrix NetScaler and CVE-2023-4966 Vulnerability

Citrix NetScaler is a multifunctional network device offering load balancing, firewall, and VPN services. NetScaler Gateway mainly handles VPN and authentication tasks, while ADC focuses on load balancing and traffic management. There have been previous issues with NetScaler, but few like CVE-2023-4966 that enable RCE attacks.

Attackers chose this vulnerability due to its impact (CVSS score of 9.4) and the nature of the vulnerability. It is a buffer-related vulnerability, potentially leading to unauthorized access or information leakage.

• Report Date: October 10, 2023
• Nature of Vulnerability: Sensitive information leakage and buffer overflow
• Details of Vulnerability: Citrix issued a critical security bulletin highlighting an “unauthenticated buffer-related vulnerability” in its NetScaler ADC and NetScaler Gateway products. CVE-2023-4966 is particularly notable due to its high CVSS score of 9.4, categorized as a “sensitive information leakage” vulnerability. This high score and nature of vulnerability often imply a higher risk, inviting external hacker attacks.
• Affected Systems: Citrix NetScaler ADC and NetScaler Gateway
• Configuration Vulnerability: Occurs when configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy), or AAA virtual server.
• CVSS Score: 9.4, indicating a high level of severity.

IV. Vulnerability Analysis

The following is an analysis of the CVE-2023-4966 vulnerability exploitation technique.

1) Reference Information

• CVE-2023-4966 on GitHub
• CVE-2023-4966 POC on GitHub

2) Exploitation Analysis

Since the Citrix Official Vulnerability Announcement did not disclose much information about this vulnerability, this analysis is based solely on the publicly available POC scripts on GitHub. For example, the CVE-2023-4966 Exploit Script.

3) Script Analysis

(i) Functionality

1. Parameter Parsing: The script uses argparse to parse command line parameters, allowing users to specify target Citrix ADC/Gateway IP or hostname.

2. (Core) Payload Generation: Generates a large payload ('a' * 24812), indicating the exploitation of a buffer overflow vulnerability.

payload = 'a' * 24812
rand_text_alpha = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(4))

3. (Core) Session Token Extraction: Uses regular expressions to search for a session token in the server response, indicating attempts to capture sensitive data.

session_token_pattern = r'\b([a-f0-9]{65})\b'

4. HTTP Request Construction: The script builds a malformed HTTP request with an excessively large header, potentially triggering abnormal behavior in the target system.

5. Disabling SSL Verification: The script disables SSL certificate verification, indicating it is designed to work even with self-signed or invalid SSL certificates.

6. Response Analysis: The script checks for specific patterns in the server response to determine if the target is vulnerable, particularly looking for session tokens.

(ii) Vulnerability Exploitation Summary

The script likely exploits a vulnerability in the Citrix system’s HTTP request processing. By using a large payload and malformed request headers, it attempts to trigger a buffer overflow, leading to exposure of memory contents, and thus sensitive data like session tokens might be captured for further attacks.

V. Protective Strategies and Reflections

• For network boundary protection:

  1. Risk Asset Management: Establish an asset information database, track CNVD/CVE/CNNVD, or threat intelligence.
  2. Application Scanning and Patching: Vulnerability scanning and fixing high-risk vulnerabilities are the most direct and effective protective actions. As established in 1, regular scanning and immediate updating of vulnerability rules can shorten the risk exposure window.
  3. Network Monitoring: Enhance monitoring of network traffic, especially components affected by this vulnerability. For example, a large number of abnormal HTTP request headers can be identified by network devices like WAFs, and immediate blocking can reduce losses.

• For data protection:

  1. Security Awareness Training: Regular practice of encrypted backups.
  2. Internal Network Security Devices: Antivirus software/end-point detection, etc.
  3. Incident Response Plan: Prepare a robust incident response plan to address any data breaches potentially caused by this vulnerability.

Appendix: Reference Materials

• CVE-2023-4966 on NVD
• Citrix Official Article
• Citrix Bleed Session Token Leakage Proof Of Concept