Companies with a vulnerable Citrix Netscaler server are urged to apply the patch as soon as possible, but this is only part of the solution.

Citrix rolled out a patch against CVE-2023-4966, a vulnerability also known as “Citrix Bleed,” at the end of October. The vulnerability affects various models of Citrix NetScaler ADC and NetScaler Gateway, the overview can be found in our previous article. A week ago, at least ten thousand servers were vulnerable and there were already victims, of which Boeing is perhaps the best-known name. In a blog, Citrix reiterates that it is taking action.

Of course, this starts with installing the patch, but unlike many vulnerabilities, this time it is only a stopgap solution. According to Citrix, it is also necessary to delete all active user sessions. Citrix also announced this warning in October, but not everyone seems to have understood it.

Run away with tokens

The error could result in loss of authentication tokens for Citrix NetScaler software. Attackers gain access to the server’s memory and can search for stored tokens there. These tokens are legitimate, allowing attackers to pretend to be an authorized user to remain undetected. Stolen tokens remain active even after a patch.

Patching is therefore essential, but patching alone is not enough to stop the load on your server. IT administrators should look through the logs for suspicious behavior authenticated by legitimate tokens, and everyone would be wise to reset sessions. Citrix shares the following commands for this purpose:

Kill the AAA session -all of them

icaconnection -all kill

Kill the RDP connection -all

kill pcoipConnection -all

lb delete persistentSessions