The Latest High-Severity Citrix Vulnerability Under Attack Isn't Easy To Fix

The Latest High-Severity Citrix Vulnerability Under Attack Isn't Easy To Fix (arstechnica.com) 3

Posted by msmash on Friday October 20, 2023 @12:00PM from the PSA dept.

A critical vulnerability that hackers have exploited since August, which allows them to bypass multifactor authentication in Citrix networking hardware, has received a patch from the manufacturer. Unfortunately, applying it isn't enough to protect affected systems. ArsTechnica: The vulnerability, tracked as CVE-2023-4966 and carrying a severity rating of 9.8 out of a possible 10, resides in the NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. Stemming from a flaw in a currently unknown function, the information-disclosure vulnerability can be exploited so hackers can intercept encrypted communications passing between devices. The vulnerability can be exploited remotely and with no human action required, even when attackers have no system privileges on a vulnerable system.

Citrix released a patch for the vulnerability last week, along with an advisory that provided few details. On Wednesday, researchers from security firm Mandiant said that the vulnerability has been under active exploitation since August, possibly for espionage against professional services, technology, and government organizations. Mandiant warned that patching the vulnerability wasn't sufficient to lock down affected networks because any sessions hijacked before the security update would persist afterward.

The Latest High-Severity Citrix Vulnerability Under Attack Isn't Easy To Fix

This discussion has been archived. No new comments can be posted.

Load All Comments

Search 3 Comments Log In/Create an Account

Comments Filter:

Citrix has been moribund for a while now (Score:2)

by gweihir ( 88907 ) writes:

Companies like them die slowly, but when they start to mess their products up so badly they cannot fix them anymore, they do eventually die. Other example: Microsoft. They probably have accumulated so much technological debt by now that they cannot survive anymore, long-term.
The company's first product was Citrix Multiuser . (Score:2)

by Mirnotoriety ( 10462951 ) writes:

“The company's first product was Citrix Multiuser [wikipedia.org], an extension of OS/2 developed over two years. Citrix licensed the OS/2 source code from Microsoft,[5][6][10] and developed its own Independent Computing Architecture (ICA) protocol for Citrix Multiuser.[citation needed] Multiuser allowed multiple users working on separate computers remote access to software on a server, even from computers not built to run OS/2.[10][11] Three days before the product launched in 1991, Microsoft announced they would be

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

The Latest High-Severity Citrix Vulnerability Under Attack Isn't Easy To Fix (arstechnica.com) 3

The Latest High-Severity Citrix Vulnerability Under Attack Isn't Easy To Fix More Login

The Latest High-Severity Citrix Vulnerability Under Attack Isn't Easy To Fix

Citrix has been moribund for a while now (Score:2)

The company's first product was Citrix Multiuser . (Score:2)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot