Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation
Written by Otmar Lendl.
./citrix-anomaly.pl [-d] [-v] [-h] [-p file] [-a X] [logfiles]
This script parse citrix netscale syslog files and looks for session
reconnects that might be the result of a CVE-2023-4966 exploitation.
Parameters:
-d Debug
-v Verbose
-h This help
-a Set aggregation type. Possible values
b (default) simple /24 aggregation
a aggregate by ASN
p aggregate to routing table prefix
-p path to a routing table dump. Syntax: "prefix asn" per line
The script needs Net::CIDR and Net::Patricia (you want to use the -p feature) which might not be installed on all Linux servers. On Debian-based systems, use
sudo apt install libnet-cidr-perl libnet-patricia-perl
to install them.
A file with the global routing table as of 2023-10-27 is included in this repo. It needs to be decompressed.
The logline prefixes can vary between different systems / log daemons. The code now tries to ignore line prefixes and matches on the Citrix supplied timestamps. (which apparently can vary by locale settings.)
CVE-2023-4966 leaks session cookies which allows attackers to reconnect to existing Citrix sessions.
This script looks for "SSLVPN LOGIN" and "SSLVPN TCPCONNSTAT" syslog lines (pre-filtering with grep for these lines makes sense) and checks which sessions either don't have a matching LOGIN line or change client IP address over its lifetime.
The script uses successful initial logins as sign that a source network is benign. If there are only reconnects from a source network, but no initial connects from there, then these reconnects are suspicious. This is not done on a pure IP-address basis, there are three aggrgation schemes implemented:
- trival /24
- aggregate to prefix according to the routing table
- aggregate to AS according to the routing table
The latter two algorithms need a file that matches prefixes to ASN. An example is supplied in this repo.