On October 10, 2023, Citrix released security updates for its NetScaler ADC and NetScaler Gateway appliances to remedy a vulnerability dubbed “Citrix Bleed” under CVE-2023-4966. As of October 17, Citrix and the Cybersecurity and Infrastructure Security Agency confirmed that active exploits by threat actors had been observed on unpatched systems. Additionally, cybersecurity firm Mandiant announced that they observed threat actors exploiting the vulnerability as far back as August 2023. Citrix NetScaler appliances are widely used among health care organizations to facilitate remote and onsite authentication and access to critical applications such as Electronic Medical Records, imaging viewers, remote desktops and other applications. Once a threat actor has exploited the vulnerability and gained access to an organization’s network, they can launch a variety of cyberattacks, including ransomware. Security researchers have described the exploitation of the vulnerability as low-complexity and have speculated that the LockBit ransomware gang is already utilizing the vulnerability to execute attacks.
Risk Mitigation Recommendations
Though Citrix Bleed was first announced in October, Hall Render has recently observed that health care organizations are seeing increased threat activity due to this vulnerability and are advising all clients to review currently installed Citrix NetScaler versions and apply the available patches as soon as possible.
Affected versions of the NetScaler ADC and Gateway are:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life and are vulnerable.
Full remediation steps and recommendations can be found on the NetScaler blog here.
Hall Render attorneys are monitoring updates as this cyber threat continues to escalate across the health care industry. We encourage you to ensure that your IT teams are actively monitoring your network for any signs of malicious activity and timely performing recommended patches and updates. If you notice any such activity, you should initiate your incident response plan, including engaging experienced legal counsel and digital forensics investigators.
If you have any questions or would like more information on this topic, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com;
- Philip Davis at (317) 977-1412 or pdavis@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.
