New York State Department of Financial Services · NY
Cybersecurity Threat Alert - Citrix Bleed Vulnerability
November 14, 2023
Summary
The NYS Department of Financial Services mandates that all regulated entities assess and mitigate risks associated with the Citrix Bleed vulnerability (CVE-2023-4966 and CVE-2023-4967). Entities must promptly patch affected Citrix products, terminate active sessions, and adhere to new mandatory reporting requirements for cyber extortion payments.
Industry Letter
Date: November 14, 2023
To: Chief Information Security Officers of All Regulated Entities
Re: Cybersecurity Threat Alert - Citrix Bleed Vulnerability
The New York State Department of Financial Services (DFS) alerts all regulated entities to take immediate action to investigate and, if applicable, to mitigate the following cybersecurity threat.
On November 7, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released guidance for addressing a critical vulnerability designated as CVE-2023-4966 which impacts multiple versions of Citrix NetScaler ADC and Gateway products. The vulnerability, also known as Citrix Bleed, could allow a cyber actor to take control of an affected system.
Threat actors are actively exploiting this vulnerability. According to Citrix’s website, there are reports of session hijacking and targeted attacks. Citrix strongly urges all affected users to immediately install recommended builds and to terminate and clear all active and persistent sessions. Please refer to the Citrix Security Blog for details and the necessary commands.
An additional vulnerability has been found in customer-managed instances of Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) CVE-2023-4967.
Exploitation of these vulnerabilities can result in deployment of ransomware, data theft, and business disruption.
DFS advises all regulated entities to assess promptly the risk to their organization, customers, consumers, and third-party service providers based upon the evolving information and to take action to mitigate risk. As you assess risk, we recommend reviewing the Citrix Security Bulletin and DFS Portal. As of December 1, 2023, regulated entities who decide to make cyber extortion payments must report such payments to DFS within 24 hours and within 30 days provide a description of the rationale for, and diligence undertaken in connection with, making such payment. For more information, visit DFS’s Cybersecurity Resource Center.
Source: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20231114_cyber_alert_citrix
Common questions
- What does "Cybersecurity Threat Alert - Citrix Bleed Vulnerability" cover?
- The NYS Department of Financial Services mandates that all regulated entities assess and mitigate risks associated with the Citrix Bleed vulnerability…
- Which agency issued this update?
- This update was issued by New York State Department of Financial Services.
- When was it published?
- It was published on November 14, 2023.
Related updates
- Lakeview Loan Servicing, LLC, Pingora Loan Servicing, LLC, Community Loan Servicing, LLC, and Bayview Asset Management, LLC Multistate Settlement Agreement and Consent Order issued by the Division of Banking
- Ultralight FS,. Inc., formerly known as Obopay, Inc., also doing business as Obopay USA
- Two Ocean No-Action Letter: Digital Asset Custody & Qualified Custodian Status
- Pionex, Inc. Consent Order issued by the Division of Banking
- Updated Nonbank Ransomware Self-Assessment Tool (R-SAT)
- ACI Payments, Inc. Settlement Agreement and Consent Order issued by the Division of Banking