CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Sigma rule (View on GitHub)
1title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
2id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1
3related:
4 - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
5 type: similar
6 - id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
7 type: similar
8 - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
9 type: similar
10status: experimental
11description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
12references:
13 - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
14 - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
15 - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
16 - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
17 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
18author: Nasreddine Bencherchali (Nextron Systems)
19date: 2023/11/28
20tags:
21 - detection.emerging_threats
22 - attack.initial_access
23 - attack.t1190
24 - cve.2023.4966
25logsource:
26 category: webserver
27detection:
28 selection:
29 cs-method: 'GET'
30 cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'
31 cs-host|re: '.{150}'
32 condition: selection
33falsepositives:
34 - Vulnerability scanners
35level: high
References
-
-
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA v…
Read More -
On October 10, 2023, Citrix published an advisory on two vulns affecting NetScaler ADC and NetScaler Gateway. The more critical of these is CVE-2023-4966.
Read More -
It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.
Read More -
Repository to store exploits created by Assetnotes Security Research team - assetnote/exploits
Read More
Related rules
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- Exchange Exploitation Used by HAFNIUM
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)