CitrixBleed Mitigation CVE-2023-4966
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.
Short Description
The Citrix Bleed exploit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4966 against Netscaler ADC and Netscaler Gateway is being seen in the wild and impacting many organisations https://www.malwarebytes.com/blog/news/2023/11/citrix-bleed-widely-exploitated-warn-government-agencies .
If you have a BIG-IP providing access to your Citrix platform, you can gain visibility of this explit and potentially mitigate malicious requests.
Problem solved by this Code Snippet
This iRule will catch requests to the exploit URL and create a log and iStat, and potentially drop malicious requests where the Host header is set to be a large length.
How to use this Code Snippet
Create the iRule and assign it to the virtual server in front of the Citrix device.
Code Snippet Meta Information
- Version: TMOS v11+
- Coding Language: iRule
Full Code Snippet
when RULE_INIT priority 500 {
# This is an iRule to be used to capture and possibly mitigate against known Citrix Bleed attacks
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4966
# There is no support implied in using this iRule, you use it at your own risk
# Version 1 Peter White
# Note that all requests to /oauth/idp/.well-known/openid-configuration will be logged in /var/log/ltm for later checking of source address etc
# and all requests with a hostname of more than 100 characters will be assumed to be malicious
# Set the variable below to 1 or 0 to turn on blocking of known malicious requests
set static::cb_block 1
# Set the host header max length. Note that the PoC uses a length of 24576
set static::cb_host_max_length 100
# Log prefix - set the log prefix for the warning logs for this iRule
set static::cb_log_prefix "CB"
}
when HTTP_REQUEST priority 100 {
if { [HTTP::path] equals "/oauth/idp/.well-known/openid-configuration" } {
log local0.warn "$static::cb_log_prefix [virtual name] [IP::client_addr] [TCP::client_port] [whereis [IP::client_addr] continent] [whereis [IP::client_addr] country]"
# Note that you can see the iStat using the command 'tmsh show ltm virtual <virtual server name>' and look at User-defined stats at the bottom
ISTATS::incr "ltm.virtual [virtual name] counter CB_log" 1
if { $static::cb_block && ([string length [HTTP::header Host]] > $static::cb_host_max_length) } {
drop
}
}
}
Published Jan 05, 2024
Version 1.0PeteWhite
Employee
Joined May 16, 2019
No CommentsBe the first to comment