The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center has released a notice strongly encouraging health care organizations to upgrade their devices due to a vulnerability. Known as “Citrix Bleed,” this vulnerability has been ongoing since August 2023 and could allow hackers to access private health care information by bypassing passwords and multifactor authentication.
Those systems vulnerable to Citrix Bleed include NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Versions include:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
- NetScaler ADC 13.1FIPS before 13.1-37.163
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Citrix released a patch for this vulnerability in early October, but these compromised sessions will still be active after a patch has been implemented. Administrators should follow Citrix’s guidance to upgrade their devices and remove any active or persistent sessions with the following commands:
- kill aaa session -all
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- clear lb persistentSessions
Additional recommended actions for investigating any potential Citrix Bleed exploits have been provided by NetScaler. Further technical details, threat activity, and indicators of compromise can be obtained here and here. Users and administrators are strongly encouraged to review these recommended actions and upgrade devices to prevent serious damage.