Xfinity waited 13 days to patch critical Citrix Bleed 0-day. Now its paying the price

News

MORE CITRIX BLEED CASUALTIES — Xfinity waited 13 days to patch critical Citrix Bleed 0-day. Now its paying the price Data for almost 36 million customers now in the hands of unknown hackers.

Dan Goodin – Dec 19, 2023 11:14 pm UTC Enlarge / A Comcast Xfinity service van in San Ramon, California on February 25, 2020. Getty Images | Smith Collection/Gado reader comments 77

Comcast waited 13 days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with password data and other sensitive information belonging to 36 million Xfinity customers.

Further ReadingThe latest high-severity Citrix vulnerability under attack isnt easy to fixThe breach, which was carried out by exploiting a vulnerability in network hardware sold by Citrix, gave hackers access to usernames and cryptographically hashed passwords for 35.9 million Xfinity customers, the cable TV and Internet provider said in a notification filed Monday with the Maine attorney generals office. Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August. Comcast didnt patch its network until October 23, 13 days after a patch became available and five days after the report of the in-the-wild attacks exploiting it.

However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability, an accompanying notice stated. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.

Comcast is still investigating precisely what data the attackers obtained. So far, Mondays disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcasts cable television and Internet division. Advertisement

Citrix Bleed has emerged as one of the years most severe and widely exploited vulnerabilities, with a severity rating of 9.4 out of 10. The vulnerability, residing in Citrixs NetScaler Application Delivery Controller and NetScaler Gateway, can be exploited without any authentication or privileges on affected networks. Exploits disclose session tokens, which the hardware assigns to devices that have already successfully provided login credentials. Possession of the tokens allows hackers to override any multi-factor authentication in use and log into the device.

Other companies that have been hacked through Citrix Bleed include Boeing; Toyota; DP World Australia, a branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and law firm Allen & Overy.

The name Citrix Bleed is an allusion to Heartbleed, a different critical information disclosure zero-day that turned the Internet on its head in 2014. That vulnerability, which resided in the OpenSSL code library, came under mass exploitation and allowed the pilfering of passwords, encryption keys, banking credentials, and all kinds of other sensitive information. Citrix Bleed hasnt been as dire because fewer vulnerable devices are in use.

A sweep of the most active ransomware sites didnt turn up any claims of responsibility for the hack of the Comcast network. An Xfinity representative said in an email that the company has yet to receive any ransom demands, and investigators arent aware of any customer data being leaked or of any attacks on affected customers.

Comcast is requiring Xfinity customers to reset their passwords to protect against the possibility that attackers can crack the stolen hashes. The company is also encouraging customers to enable two-factor authentication. The representative declined to say why company admins didn’t patch sooner. reader comments 77 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars

Articles You May Like

NYC sees dip in major crimes, new data shows
Costco’s ‘woke’ business practices facing scrutiny from activist investors
Urgent search and rescue underway after military chopper collides with American Airlines plane
Tech mogul claims US media and stock market just fell for communist propaganda
Bitcoin Preparing For A February Rally? Analyst Says New High Is Two Weeks Away