This blog post is a deep-dive analysis of the Citrix Bleed vulnerability and exploitation. See the kill chain, how Remote Code Execution (RCE) attacks easily bypass EDR tools, and how the Virsec Security Platform's Zero Trust security compensating controls provide protection, even in unpatched environments.
Citrix’s Netscaler Application Delivery Controller (ADC) and NetScaler Gateway enable enterprises to access their desktops and applications securely and remotely. Citrix also offers server applications, desktop virtualization, cloud computing, and networking products for Windows, Linux, and MAC platforms. Networking products converge and consolidate functionality such as Layer 4 Load Balancing, Layer 7 Traffic Management, Server Offloading, Application Acceleration, and Secure Remote Access, enhanced security policies, web–filtering policies for Internet users, user behavior analytics capabilities, to name a few. A block diagram showing how the Gateway works is as follows:
Citrix’s products serve over 100 million end-users, 400,000 customers, and 10000 partners in 100 countries.
On October 10th, 2023, the NVD announced a vulnerability in Citrix’s ADC and Gateway, CVE-2023-4966, with a CVSS score of 7.5 High when configured as a Gateway (VPN Virtual Server, ICA Proxy, CVPN, RDP Proxy) or AAA Virtual Server. Due to the similarity in the underlying weakness with the Heart Bleed vulnerability in the Open SSL stack, this vulnerability was dubbed Citrix Bleed.
This vulnerability is present in:
On October 18th, 2023, CISA released guidance indicating Threat Actors were actively exploiting a critical Remote Code Execution (RCE) vulnerability, CVE-2023-4966. Interestingly, Citrix itself classified this vulnerability with a score of 9.4 Critical.
Exploiting this vulnerability could disclose sensitive information, including session authentication token information that may allow a threat actor to “hijack” a user’s session.
When a Threat Actor pushes a very large buffer into the “Host” field of the HTTP Request, a vulnerable version of the Citrix gateway pushes a large amount of unexpected data, including the last authenticated user’s session token, into the HTTP Response.
The Threat Actor can then embed this session token in the following HTTP Requests and perform any action (such as extract valuable business and launch a ransomware attack) that the last authenticated user could perform without ever coming into possession of the said user’s password and without being impeded by MFA. By executing this attack repeatedly, the Threat Actor can extract the session cookies of other logged-in users can also be found.
Below, we show the kill chain associated with this attack, as reported by Mandiant and AssetNote, who reverse-engineered Citrix code and analyzed the vulnerability almost identically. The color-coded legend at the bottom depicts the various attack stages.
The sad reality- nothing! Fortunately for those enterprises that have deployed Zero Trust Runtime Defense security controls like the Virsec Security Platform (VSP), an RCE vulnerability does not automatically translate into a breach. This acts as a compensating control that can keep the enterprise safe, even when it hasn’t patched one or more RCE vulnerabilities.
Conventional EDRs are security controls that follow the default-allow-block-on-threat philosophy. The typical EDR implicitly relies on many assumptions that Threat Actors circumvent routinely. One example of such abuse is the unhooking of the telemetry hooks that the EDR relies on. Unfortunately, the skills of Threat Actors often exceed the skills of both the practitioner and the AI/ML algorithm combined. It's no wonder cyberattacks continue to blindside EDRs. An EDR that unknowingly lets malicious code execute, even for a millisecond, is of questionable value. Those precious milliseconds are enough to unload, stop, or corrupt the EDR. At that point, the EDR is asleep at the wheel.
By contrast, true Zero Trust Runtime Defense security controls built with the default-deny-allow-on-trust (aka Positive Security) philosophy restrict the workload from processing code, threads, and child processes influenced by the Threat Actor. Positive Security Control protects the workload by allowing only such code, threads, and child processes that the enterprise explicitly trusts. This default-deny-allow-on-trust approach of the Positive Security Model ensures that no malware, no matter how sophisticated, can execute even one instruction on a victim workload, even if the Threat Actor has infiltrated that workload using stolen administrative credentials.
With that in mind, let’s reexamine the kill chain of the Citrix Bleed attack in the context of Virsec’s VSP:
Virsec’s VSP can protect Citrix ADC and Gateway deployments against cyberattacks at Step 3 without needing any Threat Feeds, YARA rules, Behavioral, or Heuristic Signatures.
In today's fast-paced business environment, it can be a constant challenge for even the most mature organizations to keep their enterprise software updated. With the daily influx of patches, it can feel like a never-ending task. Unfortunately, this also means that Threat Actors are always ready to exploit any vulnerabilities that might arise, especially when it comes to Remote Code Execution (RCE) attributes.
By implementing a Zero Trust Runtime Defense solution like the Virsec Security Platform, enterprises can attain a level of cyber hygiene that surpasses the capabilities of traditional EDR technology. This is crucial because sophisticated malware has the ability to disable, unload, or terminate EDR processes and effectively evade detection. With the deployment of a robust Zero Trust solution, organizations can fortify their workloads against such threats and ensure comprehensive protection.
To learn more about Virsec VSP, please visit us at www.virsec.com
For more detailed information on Zero Trust Runtime Defense and how we protect vulnerable legacy workloads, visit www.virsec.com.
Don't miss our security insights, and subscribe to our blog now.