Two Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway
by George Glass
Note: This vulnerability is highly likely to be exploited, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
An authentication bypass vulnerability, tracked as CVE-2024-0204, was discovered in Fortra's GoAnywhere MFT versions prior to 7.4.1 and allows an unauthorized user to create an admin user via the administration portal. This vulnerability has a CVSS score of 9.8 with a high potential for exploitation, which we expect to see in the short term due to a proof of concept (PoC) being available. Fortra informed customers on December 4, 2023, of the flaw via an internal forum post. The Kroll Cyber Threat Intelligence (CTI) team was made aware of the flaw after the disclosure of the vulnerability and immediately began investigating. Due to the ease, impact and availability of the exploit code, patches or mitigation actions must be applied immediately.
Researchers at Horizon3 have published a POC for this vulnerability, alongside a technical writeup. The flaw resides in a vulnerable endpoint that can be accessed via path traversal ”https://192.168.1.1:8001/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml”; this leads to an administrator account setup form. Combining this and rewriting the form submit request to include the path traversal to the setup endpoint allows an unauthenticated attacker to create an administrator account.
GoAnywhere was the target for many ransomware groups in 2023. Following the discovery of critical zero-day vulnerability CVE-2023-0669, the CL0P ransomware group, who discovered the flaw in the platform, held dozens of organizations to ransom. Once a patch and POC were made public, exploitation by other ransomware families such as LOCKBIT also occurred. The Kroll CTI team estimates that there are over 35,000 GoAnywhere instances available on the internet as of January 24, 2024.
MFT applications make an extremely valuable target for threat actors due to the highly sensitive information that is often shared on those platforms. One of the most impactful MFT exploits was another zero-day exploit discovered by CL0P, which the group used against the MOVEit platform.
Below are recommendations from the Kroll CTI team on addressing CVE-2024-0204:
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
by George Glass
by George Glass, Ryan Hicks
by George Glass, Ryan Hicks, Mikesh Nagar