Threat actors have begun exploiting this vulnerability (now named Citrix Bleed) to deploy ransomware. If your organization has not already updated to a fixed version, we recommend doing so immediately and checking for any indicators of compromise (IOC's).
Citrix released an advisory detailing a critical security flaw in NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC (formerly Citrix Application Delivery Controller). NetScaler Gateway is commonly used as a remote access solution and NetScaler ADC is a networking appliance for web applications. The security flaw (CVE-2023-4966) allows a remote attacker to bypass password and MFA requirements to hijack legitimate user sessions. A security patch has been released and should be applied immediately.
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Without a security patch, remote attackers are hijacking legitimate user sessions, bypassing password and MFA requirements. After taking over a session, attackers are able to acquire elevated privileges, harvest credentials, move laterally, and access additional data and resources. These attacks are already taking place and result in ransomware being deployed across organizations.
NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
Note: Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are End of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
See here for a non-exhaustive IOC list.
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
_________________________________
Confluence issued a security advisory for a critical vulnerability. The flaw, CVE-2023-22515, affects Confluence Data Center & Server commonly used for collaboration and development. The vulnerability allows a remote attacker to perform malicious actions an affected system. We recommend organizations apply security updates immediately due to active exploitation.
This critical privilege escalation flaw affects Confluence Data Center and Server 8.0.0 and later and is described as being remotely exploitable in low-complexity attacks that don't require user interaction. An attacker could gain remote access and perform malicious actions on an affected system. Corvus has observed similar vulnerabilities lead to data theft and extortion as well as ransomware attacks.
Note: Atlassian Cloud sites are not affected by this vulnerability.
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
8.3.3 or later
8.4.3 or later
8.5.2 (Long-Term Support release) or later
On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
<web-resource-collection>
<url-pattern>/setup/*</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Restart Confluence.
unexpected members of the confluence-administrator group
unexpected newly created user accounts
requests to /setup/*.action in network access logs
presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Resources
_________________________________
Technology company, F5 released patches for a critical remote code execution vulnerability, CVE-2023-46747, affecting its BIG-IP family of products, which include popular load balancer devices and software. The critical vulnerability allows threat actors with network access to take over BIG-IP systems which can allow for them to execute commands, create or delete files or disable services.
F5’s BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.
The vulnerability has a score of 9.8, meaning it’s critical. Corvus has observed similar vulnerabilities lead to ransomware attacks. It is important to note that the vulnerability only impacts the control plane and does not impact the data plane (the control plane is the part of a network that controls how data is forwarded, while the data plane is the actual forwarding process).
F5's BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.
One of the main uses of BIG-IP software is as a load balancer. A load balancer is like a ‘traffic controller’ for a server – it directs requests to an available server that is capable of fulfilling the request efficiently. The goal is to reduce the additional load on a particular server and ensure seamless operations and response, giving the end-user a better experience. Load balancers ensure reliability and availability by monitoring the “health” of applications and only sending requests to servers and applications that can respond in a timely manner.
F5 BIG-IP devices work in a modular manner - meaning that you can add ‘modules’ to the F5 BIG-IP devices as needed per an organization's requirements. BIG-IP software products are licensed modules that run on top of F5's Traffic Management Operation System. Below are the primary BIG-IP Software modules, all of which are impacted by this critical vulnerability.
Fixes are available in versions:
17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
Firmware versions prior to 13.x will not receive security updates as they are EOL (end-of-life), and users relying on those versions should upgrade to a newer version and apply the following mitigations until the upgrade is in place:
F5 has also released a script that can be used to mitigate the issue.
Important note: this script mitigation must only be used on systems running version 14.1.0 and later. See here for the script and instructions.