NC4 Public1

National Cyber Threat Level

Low

Moderate

Caution

High

Critical

NC4-ALR-2023-000005

Multiple Vulnerability Exploited in the Wild and Potential Threat Exposures to Organisations in Malaysia

Introduction

National Cyber Coordination and Command Centre (NC4) has been alerted that several vulnerabilities was actively exploited in the wild that affecting Citrix ADC instances, carrying the potential for unauthenticated adversaries to exploit and expose session tokens. At the same time a zero-day vulnerability in Zimbra's email server has been reported, which was actively exploited in targeted attacks by threat actors. NC4 would like to remind System Administrators and Network Administrators to implement sufficient cyber security measures to ensure that systems and networks are secure at all time. 

Impact

Unauthorized access can result in valuable information, credentials, authentication token, and sensitive records being compromised and exploited by unknown entities that may cause impacts to the organisations and government.

Brief Description

A critical security flaw denoted as CVE-2023-4966 has been identified, impacting Citrix ADC instances. This vulnerability presents a substantial risk, potentially enabling unauthenticated attackers to expose session tokens. Significantly, remote exploitation of this vulnerability requires no user interaction.

In particular, Citrix NetScaler appliances configured as Gateways, encompassing VPN virtual servers, ICA Proxy, CVPN, and RDP Proxy, or those designated as AAA virtual servers, are susceptible to exploitation. 

In a separate incident, Google's Threat Analysis Group (TAG) initially detected a zero-day vulnerability within Zimbra's email server in June. This reflected cross-site scripting (XSS) vulnerability was actively exploited in targeted attacks, prompting Zimbra to promptly address the security concern.

On July 5, 2023, Zimbra took immediate action by releasing a hot fix for the vulnerability on their public Github repository. To ensure widespread awareness and furnish organisations with timely guidance, Zimbra issued an initial advisory with comprehensive remediation recommendations on July 13, 2023.

Recognising the critical nature of the vulnerability, Zimbra expedited the remediation process, officially patching the vulnerability as CVE-2023-37580 on July 25, 2023. NC4 strongly advises organisations employing Zimbra's email server to expeditiously implement the provided patches and adhere to the outlined remediation guidance to fortify the security of their email infrastructure.

Affected Product

Citrix ADC, Citrix Gateway, Zimbra mail server.

Recommendation

Organisations are advised to be vigilant and to take the following actions: 

  1. Promptly install the relevant updated versions of NetScaler ADC, NetScaler Gateway, Zimbra mail server that address the vulnerability, as suggested by Citrix and Zimbra.
  2. Strengthen access controls on the affected products by implementing strong authentication and encryption mechanisms, such as multi-factor authentication, SSL certificates and VPNs. Additionally, consider restricting access to the administrative interface to only trusted and authorized users and networks.
  3. Conduct a thorough assessment, identify compromised systems, and assist in mitigating the potential impact of the breach.

References


  https://nvd.nist.gov/vuln/detail/CVE-2023-4966#vulnConfigurationsArea


  https://support.citrix.com/article/CTX579459


  https://blog-google.cdn.ampproject.org/c/s/blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/amp/

Insert title here