You may have seen the recent security bulletin from Citrix that advises NetScaler ADC and NetScaler Gateway customers that a vulnerability allows threat actors to gain access to the NetScaler administration console. The Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert, notifying customers that an exploit existed for the vulnerability and was being actively used to target NetScaler deployments.
While a patch has been made available, the infrastructure of thousands of companies is at risk while the tedious patch process plays out. Organizations must choose between remaining vulnerable or shutting down access to thousands of users’ virtual desktops and massively disrupting operations.
A Zero-Day threat to VDI environments
The new vulnerability allows bad actors to gain access to the NetScaler administrative console by simply pushing a request with a long “Host” header that results in confusing the server into reading past the end of a buffer and disclosing data, including session tokens, to an unauthenticated bad actor.
Once that initial access is made, the user can modify the NetScaler VDI environment. This allows them to gain control and eventually lock out other users and administrators from accessing it. A ransom demand usually follows while thousands of users sit idle, unable to access the productivity tools in their virtual environments.
The vulnerability can be fixed with a simple patch, but updating can be a tedious and slow process. Additionally, the updates can cause an interruption in availability of virtual instances which are required by users. Meanwhile, the ransomware clock continues to tick with administrators never knowing when the sword may fall.
A secure path to mitigating the vulnerability
While organizations wait for the vulnerability to be addressed, there needs to be other protections in place to stop zero days. This solution needs to:
Hide the applications from the Internet
Making the application inaccessible from the Internet greatly reduces the threat exposure. Adding network filtering via IP allow-listing is a first step, but a more complete, zero-trust solution, enables access to only authorized users through trusted devices rather than rely on network connectivity alone.
Make sure the endpoint is not interacting with the application
Even if the application is hidden from the Internet, it can be compromised by an infected endpoint or an insider seeking to elevate privileges. Safeguard your application by adding a layer between the end-user browser and the application, and protect against attacks which are achieved by HTTP header manipulation, HTTP request smuggling, server side request forgery, etc.
Menlo offers a viable solution—in the long and short term
Menlo Security’s Secure Application Access has a way out of the uncertainty with a solution that protects against unknown vulnerabilities to your web applications. Accessing NetScaler’s management console via Menlo’s Secure Application Access will protect it from Citrix Bleed and other attacks which are carried by modifying headers. Menlo Security provides access to the admin interface to go through a trusted browser, preventing someone from sending malformed HTTP requests, adding headers, or POSTing arbitrary content to API endpoints. It can protect both your SaaS applications and your private applications.
While Menlo Security’s Secure Application Access addresses the same use cases as VDI through a different approach, it can also be used as an augmenting technology, allowing only authorized users with administrative credentials to access it. The Menlo Security solution will help guard the NetScaler management console and all your other web applications from attacks.