SonicWall Capture Labs Threat Research Team became aware of the threat Citrix Bleed, assessed its impact and developed mitigation measures for the vulnerability.

Citrix NetScaler is an Application Delivery Controller (ADC) and load balancer designed to enhance the performance and security of web-based applications. Produced by Citrix Systems, NetScaler ensures the swift, reliable and secure delivery of applications to devices everywhere. It combines advanced traffic management, application security, content switching and optimization features in one platform.

Citrix NetScaler, encompassing both ADC and NetScaler Gateway, recently came under scrutiny for a vulnerability identified as CVE-2023-4966. As of October 18th, CISA has reported active exploitation of this vulnerability. This flaw pertains to a sensitive information disclosure that can occur when the system is set up as a Gateway (encompassing VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA "virtual" server. Notably, the vulnerability corresponds to CWE-119, which is described as "improper restriction of operations within the bounds of a memory buffer". In some configurations, the sensitive information disclosed can include a valid session token.

The affected versions are:
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

This vulnerability has been patched by Citrix on October 10th and can be mitigated by upgrading to the latest version of NetScaler.

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-4966.

The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:X/RL:X/RC:X).

Base score is 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), based on the following metrics:
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is Low.
Temporal score is N/A (E:X/RL:X/RC:X), based on the following metrics:
  • The exploit code maturity level of this vulnerability is Not Defined.
  • The remediation level of this vulnerability is Not Defined.
  • The report confidence level of this vulnerability is Not Defined.

In an effort to pinpoint the vulnerability, a comparative analysis was conducted between the two specific versions of the software: the older 13.1-48.47 and the newer 13.1-49.15. By meticulously examining the differences and updates between these versions, we were able to identify the exact location of the patch and gain a deeper understanding of the vulnerability's nature. In Figure 1 the differences can be seen by using the tool BinDiff.

The ns_vpn_process_unauthenticated_request function has been meticulously crafted to build and validate the URL /oauth/idp/.well-known/openid-configuration. Within its implementation, there is a significant call to ns_aaa_oauth_send_openid_config, which makes use of the snprintf function as seen in Figure 2.

The primary role of this function is to format and populate the print_temp_rule buffer with a series of characters and values. Delving into its specifics: the destination buffer is print_temp_rule, and it has a Maximum Size of 0x20000, which is equivalent to roughly 128 KB. The format string, a comprehensive JSON object, as seen in Figure 3, details the OpenID Connect configuration.

The snprintf as seen in Figure2, employs multiple %.*s format specifiers which expect a length and a string as paired arguments. These specifiers are used to define various OAuth and OpenID Connect endpoints, with the base URL or domain inferred from the variable host_string. To shed light on the arguments (figure 2): length denotes the length of the host_string and ensures only up to length characters from host_string are printed. The host_string reference is the base URL or domain that fills in the respective URLs in the JSON.

In the aftermath of this operation, not_size_buffer will hold the count of characters intended for print_temp_rule, excluding the null byte, if there were no buffer constraints. This behavior of snprintf is typical: It returns the number of characters it aims to write, irrespective of the size limit that might truncate the actual write-up. Thus, not_size_buffer captures the length of the fully constructed JSON string.

This function's design intricacies go beyond just formatting; there's a security facet to it. Initially, the function would instantly send out the response. But in its patched form, a response is dispatched only if snprintf yields a value less than 0x20000.

There's a vulnerability in how the return value of snprintf is used to determine how many bytes are sent to the client through ns_vpn_send_response. Contrary to what one might expect, snprintf doesn't return the number of bytes it actually writes to the buffer. Instead, it returns the number it would have written if the buffer was large enough. This is where the security risk comes into play. The return value is being incorrectly used as the number of bytes written to the buffer.

  • The target must be running NetScaler Citrix Firmware version prior to 13.1-49.15.
  • The attacker must have network access to the vulnerable software.
  • Sending a GET request to the endpoint: /oauth/idp/.well-known/openid-configuration,
containing Host: a (any 'char' to the power of 24,576).

To exploit this vulnerability, the attacker’s goal is to generate a response that exceeds a buffer size of 0x20000 bytes. If successful, the application would send not only the filled buffer but also the memory following the print_temp_rule buffer, potentially exposing sensitive data or causing other unexpected issues. Proof of concept code has been published and active exploitation of this vulnerability has been reported by CISA on October 18th. Included in the leaked information, depending on the appliance’s configuration, is a 65 byte long hex string which is a valid session cookie. As a resulted an attacker can use this session key to impersonate an active user.

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4130 NetScaler ADC/Gateway Information Disclosure

The risks posed by this vulnerability can be mitigated or eliminated by:
  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up-to-date IPS signatures to filter network traffic.
  • Alternatively, consider taking the server offline.

  • CVE-2023-4966
  • CNA CVSS Metrics
  • Vendor Advisory
  • Citrix Bleed
  • Public POC

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  phpPgAdmin is an open-source, web-based administration tool for managing PostgreSQL, an advanced, enterprise-class, and open-source relational database system. phpPgAdmin is written in PHP and provides a user-friendly interface that allows users to perform various database management tasks. Users can create, modify, and delete databases, tables, and records through this interface, making it a valuable tool for those who prefer a graphical user interface over command-line interaction.

  It has been reported that phpPgAdmin 7.14.4 and earlier versions have a deserialization vulnerability. Deserialization vulnerabilities occur when an application unsafely processes external input during the deserialization process, potentially leading to code execution, denial of service, or elevation of privileges. This vulnerability underscores the importance of using secure coding practices and regularly updating software to protect against known vulnerabilities.

  Vendor Homepage

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-40619.

  CVE Listing

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept code.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

  The doEmpty function in the tables.php file is responsible for emptying tables in a database, and it is designed to handle both single and multiple table emptying operations. It works by taking user input from the $_REQUEST['ma'] or $_REQUEST['table'] global variables, which are populated by the client through HTTP GET or POST requests. When multiple tables are specified through $_REQUEST['ma'], the function iterates over each table, unserializes the user input, and performs the emptying operation on each specified table. The use of the unserialize function here is critical as it exposes a potential security vulnerability known as PHP Object Injection due to the way it handles serialized objects.

  PHP Object Injection vulnerabilities occur when user-supplied input is passed to the unserialize function, which can result in the instantiation of objects and the execution of the magic method __wakeup. In this specific case, the user could potentially pass a serialized object with a malicious __wakeup method to the $_REQUEST['ma'] variable, leading to the execution of arbitrary PHP code. This could allow an attacker to perform various malicious activities, such as executing system commands, creating, deleting, or modifying files, or even launching attacks against other systems. Consequently, the use of unserialize on user-supplied data in this function poses a severe security risk and could lead to a full server compromise if exploited successfully.

  To mitigate the risks associated with this vulnerability, it is crucial to avoid using the unserialize function on user-supplied input. Instead, alternative methods for handling user data, such as JSON encoding and decoding, should be employed. Additionally, input validation and sanitization should be implemented to ensure that only expected and safe data is processed by the application.

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious serialized payloads to the tables.php endpoint.
  • The query string parameter 'ma' is used to trigger the 'unserialize' function by injecting serialized data.

  The unserialize() deserialization vulnerability in PHP occurs when the unserialize() function is passed user input without adequate validation, consequently triggering magic methods like __wakeup() or __destruct() in an object-oriented context. These magic methods are invoked automatically during deserialization, providing an avenue for attackers to execute malicious code or carry out other harmful activities. The vulnerability underscores the importance of validating or sanitizing user input and avoiding the use of unserialize() with untrusted data, to prevent potential exploitation.

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  • IPS:15919 phpPgAdmin Insecure Deserialization

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signature above.
  A Third Party has released the following advisory regarding this vulnerability:
  Third Party Advisory

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KSMBD is an integral server component within the Linux kernel. Its primary function is to implement the SMBv3 protocol, which is essential for sharing files over a network. Operating in kernel space ensures that KSMBD offers efficient and seamless file sharing capabilities to users of the Linux operating system.

  Recently, a significant vulnerability has been identified in ksmbd. This vulnerability stems from a NULL pointer dereference issue, a critical flaw in the system's architecture. The root cause of this vulnerability is the system's inability to validate user-supplied data adequately, especially when processing compounded requests. Given the importance of ksmbd in the Linux Kernel, this vulnerability raises substantial security concerns.

  The vulnerability provides an avenue for remote attackers to compromise the system. By sending specifically crafted packets to the target, which is vulnerable, attackers can exploit this flaw. If they succeed in their exploitation attempt, the aftermath can be detrimental, leading to a denial of service. This means that the targeted system could be rendered inoperable, disrupting its functionality and potentially causing significant downtime.

  Vendor Homepage

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-3866.

  CVE Listing

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

  A NULL pointer dereference vulnerability has been identified in the ksmbd kernel module when it processes compounded SMB2 requests. This issue arises because certain pointer validations can be overlooked during the processing of combined SMB2_NEGOTIATE, SMB2_SESSION_SETUP, or SMB2_ECHO requests.

  The internal function, __handle_ksmbd_work, manages these incoming SMB messages. This function invokes smb2_check_user_session() to ensure the SMB2 message contains a valid session ID for the intended operation, and smb2_get_ksmbd_tcon() to check if the SMB2 message has a valid tree ID. Notably, these validations always pass for the aforementioned SMB2 requests since they haven't established a session.

  The vulnerability emerges when the function doesn't account for these SMB2 requests being part of compounded requests. If the NextCommand field in any such SMB2 message isn't set to zero, subsequent SMB2 requests sidestep the validation, potentially leading to a NULL pointer being used in session or tree dereferences.

  • The vulnerable system must be listening on the vulnerable SMB port, and accept incoming connections.
  • The attacker must have connectivity to the target system.

  The attacker establishes a connection with the targeted ksmbd server. Once this connection is in place, the server becomes susceptible to the aforementioned threat. The vulnerability is activated when the attacker transmits a compounded request loaded with malicious content to the server in question. It's essential for server administrators to be aware of such vulnerabilities to ensure their systems are adequately protected and to monitor for any unusual connection requests.

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS
  

  • IPS: 4022 Linux Kernel ksmbd NULL Pointer Dereference 1
  • IPS: 19332 Linux Kernel ksmbd NULL Pointer Dereference 2
  • IPS: 19333 Linux Kernel ksmbd NULL Pointer Dereference 3

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signatures above.
  The vendor has released the following commit regarding this vulnerability:
  Vendor Advisory