Q4 2023 Cyber Vulnerability Report and Impact

NetScaler Vulnerability Advisory | November 2023

Vulnerability Update

Threat actors have begun exploiting this vulnerability (now named Citrix Bleed) to deploy ransomware. If your organization has not already updated to a fixed version, we recommend doing so immediately and checking for any indicators of compromise (IOC's).

Background Information

Citrix released an advisory detailing a critical security flaw in NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC (formerly Citrix Application Delivery Controller). NetScaler Gateway is commonly used as a remote access solution and NetScaler ADC is a networking appliance for web applications. The security flaw (CVE-2023-4966) allows a remote attacker to bypass password and MFA requirements to hijack legitimate user sessions. A security patch has been released and should be applied immediately.

The vulnerability affects the following products & versions:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15

• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19

• NetScaler ADC 13.1-FIPS before 13.1-37.164

• NetScaler ADC 12.1-FIPS before 12.1-55.300

• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Impact of the Vulnerability

Without a security patch, remote attackers are hijacking legitimate user sessions, bypassing password and MFA requirements. After taking over a session, attackers are able to acquire elevated privileges, harvest credentials, move laterally, and access additional data and resources. These attacks are already taking place and result in ransomware being deployed across organizations.

Next steps for Citrix customers:

1. Upgrade to a non-vulnerable version of ADC or Gateway as soon as possible:

   • NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases

   • NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1

   • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0  

   • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS  

   • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS  

   • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

   Note: Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are End of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

2. If you have not already updated, then we now recommend checking for indicators of compromise after you do update, as it's possible there could have already been malicious activity.

   • See here for a non-exhaustive IOC list.

Resources

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

_________________________________

Confluence Data Center & Server Vulnerability Alert | October 2023

Background Information

Confluence issued a security advisory for a critical vulnerability. The flaw, CVE-2023-22515, affects Confluence Data Center & Server commonly used for collaboration and development. The vulnerability allows a remote attacker to perform malicious actions an affected system. We recommend organizations apply security updates immediately due to active exploitation.

Impact of the Vulnerability

This critical privilege escalation flaw affects Confluence Data Center and Server 8.0.0 and later and is described as being remotely exploitable in low-complexity attacks that don't require user interaction. An attacker could gain remote access and perform malicious actions on an affected system. Corvus has observed similar vulnerabilities lead to data theft and extortion as well as ransomware attacks.

Note: Atlassian Cloud sites are not affected by this vulnerability.

If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Next steps for Confluence Data Center & Server customers:

1. Update to a fixed version.

   1. 8.3.3 or later

   2. 8.4.3 or later

   3. 8.5.2 (Long-Term Support release) or later

2. If you are unable to upgrade Confluence, as an interim measure we recommend restricting external network access to the affected instance as a workaround.

   1. On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml  and add the following block of code (just before the </web-app> tag at the end of the file):

   2. <security-constraint>
      <web-resource-collection>
      <url-pattern>/setup/*</url-pattern>
      <http-method-omission>*</http-method-omission>
      </web-resource-collection>
      <auth-constraint />
      </security-constraint>

   3. Restart Confluence.

3. As well as upgrading to a fixed version, we recommend you check all affected Confluence instances for the following indicators of compromise:

   1. unexpected members of the confluence-administrator group

   2. unexpected newly created user accounts

   3. requests to /setup/*.action in network access logs

   4. presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
      

Resources

https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html

Background Information

Technology company, F5 released patches for a critical remote code execution vulnerability, CVE-2023-46747, affecting its BIG-IP family of products, which include popular load balancer devices and software. The critical vulnerability allows threat actors with network access to take over BIG-IP systems which can allow for them to execute commands, create or delete files or disable services.

F5’s BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.

Impact of the Vulnerability

The vulnerability has a score of 9.8, meaning it’s critical. Corvus has observed similar vulnerabilities lead to ransomware attacks. It is important to note that the vulnerability only impacts the control plane and does not impact the data plane (the control plane is the part of a network that controls how data is forwarded, while the data plane is the actual forwarding process).

Fixes are available in versions:

• 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG

• 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG

• 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG

• 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG

• 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

Overview of BIG-IP and How It Works

What is BIG-IP?

F5's BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.

One of the main uses of BIG-IP software is as a load balancer. A load balancer is like a ‘traffic controller’ for a server – it directs requests to an available server that is capable of fulfilling the request efficiently. The goal is to reduce the additional load on a particular server and ensure seamless operations and response, giving the end-user a better experience. Load balancers ensure reliability and availability by monitoring the “health” of applications and only sending requests to servers and applications that can respond in a timely manner.

How does BIG-IP work?

F5 BIG-IP devices work in a modular manner - meaning that you can add ‘modules’ to the F5 BIG-IP devices as needed per an organization's requirements. BIG-IP software products are licensed modules that run on top of F5's Traffic Management Operation System. Below are the primary BIG-IP Software modules, all of which are impacted by this critical vulnerability.

BIG-IP Local Traffic Manager (LTM)

• LTM provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape application traffic. Most other modules in the BIG-IP family use LTM as a foundation for enhanced services.

BIG-IP DNS

• Distributes DNS and user application requests based on business policies, data center and network conditions, user location, and application performance.

BIG-IP Application Security Manager

• Detects and mitigates bots, secures credentials and sensitive data, and defends against application DoS.

BIG-IP Access Policy Manager

• Delivers unified global access to a network, cloud, and applications. 

BIG-IP Advanced Firewall Manager

• Network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols.

Next Steps for Big-IP Customers

1. Determine if your organization is using F5 BIG-IP directly or via a vendor.

2. If your organization has a vendor that utilizes the F5 BIG-IP suite of networking products, reach out to your vendor contact and confirm they have applied the patches.

3. If your organization uses F5 BIG-IP software/devices directly, update to the latest version as soon as possible according to the chart in F5’s advisory.

• • Fixes are available in versions:

    • 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG

    • 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG

    • 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG

    • 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG

    • 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

  • Firmware versions prior to 13.x will not receive security updates as they are EOL (end-of-life), and users relying on those versions should upgrade to a newer version and apply the following mitigations until the upgrade is in place:

    • Block Configuration utility access through self IP addresses

    • Block Configuration utility access through the management interface

  • F5 has also released a script that can be used to mitigate the issue.

Important note: this script mitigation must only be used on systems running version 14.1.0 and later. See here for the script and instructions.