Month: November 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has published When to Issue Vulnerability Exploitability eXchange (VEX) Information, a guide to help strengthen software security and supply chain risk management. This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information.

Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.

VEX allows a software supplier or other parties to assert the exploitability status of specific vulnerabilities in a particular product or set of products. Issuing VEX information allows developers, suppliers and others to provide information in a human-readable and machine-comprehensible format, regardless of whether software is affected by a specific vulnerability.

Widespread adoption of VEX is one of three critical steps CISA outlined for transforming and advancing the vulnerability management ecosystem. Also, VEX helps support secure-by-design practices and rewards organizations with proactive product security teams by streamlining responses to newly-discovered risks.

For more information this and other VEX resources, visit Software Bill of Materials (SBOM).

Announcing Microsoft Applied Skills, a new verifiable credential that validates that you have the targeted skills needed to implement critical projects aligned to business goals and objectives. It offers you a new way to showcase your expertise in specific, real-world scenarios and verify technical skills that you—and your organization—need in real-time. We are thrilled to share this exciting news about Applied Skills credentials, and we look forward to sharing more news soon. Read the blog.

A critical information disclosure vulnerability, known as “Citrix Bleed” and affecting Citrix NetScaler ADC/Gateway devices, is being actively exploited by threat actors. The vulnerability, tracked as CVE-2023-4966, is remotely exploitable and can allow threat actors to obtain valid session tokens from the memory of internet-facing NetScaler devices. The compromised tokens can be used to hijack active sessions, bypassing authentication – even multi-factor authentication (MFA), to gain uauthorized access.

Citrix initially addressed the vulnerability in a security advisory on October 10, and on October 17, researchers determined that threat actors have exploited the vulnerability since at least August 2023. A Python script to automate the attack chain has been distributed by a ransomware threat group and attacks have become more widespread over the past several days.

Organizations are highly advised to update impacted devices and ensure accounts and devices have not been compromised.

Initial indicators of compromise may include the downloading of executable files from a command-and-control server, running commands consistent with elevating privileges and network enumeration, and preparing files for exfiltration.

Organizations whose Citrix devices were compromised are advised to remove impacted devices from the network, terminate all active sessions, and remove any backdoors or web shells to ensure all threat actor access to the device has been disabled; simply updating the system is insufficient. Mandiant provides guidance on addressing Citrix NetScaler ADC and NetScaler Gateway vulnerabilities.

Affected Citrix devices include:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC 13.1-FIPS before 13.1-37.164 NetScaler ADC 12.1-FIPS before 12.1-55.300 NetScaler ADC 12.1-NDcPP before 12.1-55.300

Greynoise maintains a running list of malicious IP addresses involved in the recent exploitation of Citrix NetScaler devices and could be useful for network defenders and forensic analysts.