Active Exploitation Of Big-IP And Citrix Vulnerabilities Observed By Cyble Global Sensor Intelligence Network – Cyble

Overview

Cyble Global Sensor Intelligence (CGSI) has identified the ongoing exploitation of recently disclosed vulnerabilities that were initially highlighted in the latest advisory from the Cybersecurity and Infrastructure Security Agency (CISA). CISA took proactive measures by issuing security alerts for the actively exploited Citrix Vulnerability (CVE-2023-4966) on October 10 and the Big IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) on October 31.

Subsequently, Cyble researchers observed the rapid circulation of publicly available Proof of Concepts (POCs) for these vulnerabilities in cybercrime forums, as illustrated in the figure below.

Within days of the proof of concept being made public, both vulnerabilities were actively exploited, which led to the capture of exploitation attempts via CGSI sensors, as shown below.

At the time of publishing the blog, an online scanner indicated more than 1,000 “Big IP” instances and over 20,000 “Netscaler” instances that are accessible over the internet. These systems may be potential targets for attackers and could be vulnerable to recent security vulnerabilities.

Given below are the details on the highest number count of exposure for both products from different geographies.

Note: Multiple honeypots are also visible among these exposed instances.

BIG IP Vulnerabilities

CVE-2023-46747 and CVE-2023-46748 are associated with F5 BIG-IP Virtual Edition. F5 has detected threat actors utilizing CVE-2023-46747 vulnerability to carry out attacks exploiting CVE-2023-46748.

These vulnerabilities were discovered by security experts at Praetorian Labs, who publicly disclosed the details on October 26, 2023. They pinpointed an authentication bypass problem that had the potential to result in a full compromise of F5 systems featuring an exposed Traffic Management User Interface (TMUI).

The researchers aimed to achieve total control over the BIG-IP system by analyzing different server requests. They utilized the Burp Suite proxy to scrutinize the URL requests, with a particular focus on the user creation workflow to gather more information.

During the user creation process within F5 BIG-IP, the system sent a request to the “/tmui” API. By employing Apache JServ Protocol (AJP) request smuggling techniques, researchers managed to forward POST requests to the “/tmui” API.

As the F5 Java servlet was handling the incoming POST request, it entered the “doGet” method located within the “com.f5.controller” class. Within this method, the servlet processed a request that was assembled from the smuggled AJP message. One of the AJP attributes included in this AJP message was “remote_user,” which had its value directly encoded in the AJP request. The researchers intentionally set this attribute to “admin,” causing the “request.getRemoteUser()” function to return “admin.”

To accomplish successful user creation, the researchers made an additional adjustment by including a “REMOTEROLE” header with a value of “0” within the manipulated AJP request. The backend TMUI handler then treated the tampered request as if it were originating from an administrative user.

In order for the system to treat the manipulated request as a POST request, it needed to have a specific length of exactly 518 bytes. Initially, the request was considerably larger, totaling 1,726 bytes. After some experimentation, the researchers successfully reduced the request’s size to around 400 bytes. They properly encoded this 400-byte AJP POST request and then padded it to reach the required 518-byte limit. With this modified request, the researchers were able to send it to create a new administrator user using the provided credentials.

Following the submission of the manipulated request to establish valid administrator credentials, the researchers gained the ability to authenticate with the F5 system through the standard authentication process and subsequently execute arbitrary commands via the “mgmt” API. The simplest method to achieve this is outlined in a support article provided by F5.

Using a simple curl request to achieve the goal. curl -sk -u ‘USER:PASS’ -H ‘Content-Type: application/json’ -X POST  -d ‘{“command”: “run”, “utilCmdArgs”: “-c ”whoami””}’   https://$IP:8443/mgmt/tm/util/bash

Vulnerable Software Version(s)

There are multiple vulnerable versions of the BIG-IP. The table below shows the vulnerable versions of the BIG-IP.

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability

CVE-2023-46747

CVSSv3.1

9.8

Link

F5 BIG-IP Configuration Utility SQL Injection Vulnerability

CVE-2023-46748

Link

Mitigation

F5 has shared mitigation details for the vulnerabilities in its advisory. For BIG-IP versions 14.1.0 and later, you can run the script mentioned in the F5 advisory to mitigate this issue. This script must not be used on any BIG-IP version prior to 14.1.0, or it will prevent the Configuration utility from starting.

Citrix Vulnerability

On October 10, 2023, Citrix released a security advisory that mentioned “unauthenticated buffer-related vulnerabilities” which CISA also warned about in its advisory on the same day. The issue affected Citrix NetScaler ADC and NetScaler Gateway.

CVE-2023-4966, classified as a “sensitive information disclosure” vulnerability with a critical CVSS score of 9.4, is notable due to its elevated score for an information disclosure vulnerability. This particular CVE also references “buffer-related vulnerabilities.” Researchers at Assetnote investigated and detailed the exploitation of CVE-2023-4966 to gain a deeper understanding of the vulnerability, leading to improvements in software development and security enhancements in the future.

In their analysis, researchers compared two versions of Citrix NetScaler,  NetScaler 13.1-49.15 and 13.1-48.47. They focused their examination on the “/netscaler/nsppe” binary, which houses the NetScaler Packet Processing Engine. This component encompasses a complete TCP/IP network stack and multiple HTTP services.

During the investigation, two key functions, namely “ns_aaa_oauth_send_openid_config” and “ns_aaa_oauthrp_send_openid_config,” emerged as noteworthy. Both of these functions serve a similar purpose, as they implement the OpenID Connect Discovery endpoint. What’s crucial to note is that these functions can be accessed without requiring authentication via the “/oauth/idp/.well-known/openid-configuration” and “/oauth/rp/.well-known/openid-configuration” endpoints, respectively.r

The function is relatively straightforward, as it creates a JSON payload for the OpenID configuration. It utilizes the ‘snprintf’ function to insert the device’s hostname into the payload at the designated positions. In the initial version, the response is promptly dispatched. However, in the updated (patched) version, the response is only transmitted if the ‘snprintf’ function returns a value below 0x20000.

The vulnerability arises due to the fact that the return value of “snprintf” is employed to ascertain the number of bytes sent to the client by “ns_vpn_send_response.” This is problematic because “snprintf” does not indicate the actual number of bytes it wrote to the buffer; instead, it reports the number of bytes it would have written if the buffer had been large enough.

Initially, researchers believed that the only data being inserted into the request was the hostname, which they assumed required administrator access for configuration. However, their assumption turned out to be incorrect. The value that was actually inserted into the payload did not originate from the configured hostname; instead, it was taken from the HTTP Host header. NetScaler injected the hostname into the payload six times, and this caused the payload to reach the buffer limit of 0x20000 bytes without encountering problems, as either the Host header or the entire request was too lengthy.

Upon closer examination, researchers could readily identify a significant amount of memory leakage right after the JSON payload. Although a substantial portion of this leaked data consisted of null bytes, there were some concerning pieces of information in the response. Because the “print_temp_rule” buffer is a static global entity, the response remained consistent each time. Consequently, researchers could consistently retrieve the 65-byte hex string observed in the response and validate its legitimacy as a session cookie by utilizing it as the NSC_AAAC session cookie.

Vulnerable Software Version(s)

There are multiple vulnerable versions of the NetScaler, which includes ADC and Gateway. The table below shows the vulnerable versions of the Netscaler.

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability

CVE-2023-4966

Link

Mitigation

In the advisory released by Citrix, they strongly urge customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:

• NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
• NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Conclusion

The vulnerable software is well-known and used by various organizations worldwide. BIG-IP Virtual Edition is cloud agnostic and can be deployed on-premises in a public and/or hybrid cloud environment, while Citrix Netscaler is a network device providing load balancing, firewall, and VPN services. NetScaler Gateway usually refers to the VPN and authentication components, whereas ADC refers to the load balancing and traffic management features. As the attackers are actively seeking to target the mentioned vulnerabilities is advisable for readers to apply mitigations as soon as possible.

Our Recommendations

Here are our recommended measures to safeguard against such attacks:

• Implement necessary mitigations and apply patches suggested by vendors to your organization’s cybersecurity infrastructure.
• Stay vigilant by regularly monitoring vendor websites, security advisories, and mailing lists to stay up-to-date on the latest patches and vulnerabilities related to the applications you utilize.
• Utilize vulnerability scanning tools to identify potential security weaknesses in your systems and applications. These tools are invaluable for detecting vulnerabilities that require immediate patching.
• Establish a well-organized patch management process that includes a well-defined schedule for regular updates and patches. Make sure to prioritize the deployment of critical security patches.
• Enhance security by isolating critical systems or sensitive data in a network segment that is not directly accessible from the internet. This can help reduce attack surface and minimize the potential impact of vulnerabilities.
• Strengthen your network security posture by implementing security measures such as firewalls, intrusion detection systems, and intrusion prevention systems. These tools play a crucial role in monitoring and protecting your network from potential threats.

Indicators of Compromise (IoCs)

References

Related

Source: https://cyble.com/blog/active-exploitation-of-big-ip-and-citrix-vulnerabilities-observed-by-cyble-global-sensor-intelligence-network/