CitrixBleed Mitigation CVE-2023-4966

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description

The Citrix Bleed exploit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4966 against Netscaler ADC and Netscaler Gateway is being seen in the wild and impacting many organisations https://www.malwarebytes.com/blog/news/2023/11/citrix-bleed-widely-exploitated-warn-government-agencies .

If you have a BIG-IP providing access to your Citrix platform, you can gain visibility of this explit and potentially mitigate malicious requests.

Problem solved by this Code Snippet

This iRule will catch requests to the exploit URL and create a log and iStat, and potentially drop malicious requests where the Host header is set to be a large length.

How to use this Code Snippet

Create the iRule and assign it to the virtual server in front of the Citrix device.

Code Snippet Meta Information

  1. Version: TMOS v11+
  2. Coding Language: iRule

Full Code Snippet

 

when RULE_INIT priority 500 {
    # This is an iRule to be used to capture and possibly mitigate against known Citrix Bleed attacks
    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4966
    # There is no support implied in using this iRule, you use it at your own risk
    # Version 1 Peter White 
    # Note that all requests to /oauth/idp/.well-known/openid-configuration will be logged in /var/log/ltm for later checking of source address etc
    # and all requests with a hostname of more than 100 characters will be assumed to be malicious 

    # Set the variable below to 1 or 0 to turn on blocking of known malicious requests
    set static::cb_block 1
    # Set the host header max length. Note that the PoC uses a length of 24576
    set static::cb_host_max_length 100
    # Log prefix - set the log prefix for the warning logs for this iRule
    set static::cb_log_prefix "CB"
}
when HTTP_REQUEST priority 100 {
    if { [HTTP::path] equals "/oauth/idp/.well-known/openid-configuration" } {
        log local0.warn "$static::cb_log_prefix [virtual name] [IP::client_addr] [TCP::client_port] [whereis [IP::client_addr] continent] [whereis [IP::client_addr] country]"
        # Note that you can see the iStat using the command 'tmsh show ltm virtual <virtual server name>' and look at User-defined stats at the bottom
        ISTATS::incr "ltm.virtual [virtual name] counter CB_log" 1
        if { $static::cb_block && ([string length [HTTP::header Host]] > $static::cb_host_max_length) } {
            drop
        }
    }
}

 

  

Published Jan 05, 2024
Version 1.0
application delivery
security

Was this article helpful?

No CommentsBe the first to comment