Earlier this month another vulnerability was found in Citrix Systems Inc.’s NetScaler and NetGateway product lines. This time around, the Citrix Bleed exploit is a lot more dangerous and harder to snuff out.

In July and August, about 2,000 NetScalers were exploited by a threat actor to get persistent access. NetScaler and NetGateway perform a variety of network security functions, including load balancing, application firewalls and proxy services.

The Citrix Bleed exploit allows attackers to retrieve session cookies to gain unauthorized access. The company announced patches on Oct. 10 for several versions, with the exception of v12.1, which is still vulnerable and considered past its end of life. But then other issues were discovered.

Last week saw further definition of the scope of the problem. Google LLC’s Mandiant research group found another vulnerability that wasn’t fixed with these patches. Other researchers, including Assetnote, found the exploit happening in their telemetry since August and issued a proof-of-concept example. This can be used as a demonstration, as well as a mechanism for network administrators to test their systems. Assetnote had further technical details that show how the exploit works.

Mandiant found instances where the exploit was used to infiltrate the infrastructure of government entities and technology corporations, and the Cybersecurity and Infrastructure Security Agency added the exploit and warnings to federal agencies. Mandiant and Citrix both issued warnings to those that haven’t yet patched their systems to do so as soon as possible. Greynoise, another security researcher, indicated that more than a dozen unique IP addresses were still unpatched as of the weekend, according to data they extracted from their own telemetry.

Session cookie-based attacks have been in the news most recently, because they make it easier for hackers to breech systems without having to find and steal login credentials. They’re also useful because the cookies are designed to persist after any reboots of the equipment, and in some cases the initial patches offered by the vendors don’t take this into account. A similar set of session cookie attacks were behind a series aimed at Cisco Systems Inc. IOS devices earlier in the month.

Photo: Citrix