Description
A critical zero-day vulnerability was spotted in Citrix Application Delivery Controller (ADC) and Gateway that is being actively exploited by state-sponsored hackers.
Summary
Citrix released a security update on December 13 to address a critical vulnerability in its Citrix ADC and Gateway products. The vulnerability was recorded by MITRE as CVE-2022-27518 and allows an unauthenticated attacker to execute commands remotely on the affected systems. The affected versions of the product are as follows:
Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
Citrix ADC andCitrixGateway12.1before12.1-65.25
Citrix ADC 12.1-FIPS before 12.1-55.291
Citrix ADC 12.1-NDcPP before 12.1-55.291
Citrix ADC and Citrix Gateway version 13.1 are unaffected by this vulnerability. A pre-condition for this vulnerability states that the Citrix ADC and Gateway must be configured in a certain Security Assertion Markup Language (SAML). Moreover, these products are vulnerable when configured as a SAML Service Provider (SP) or a SAML Identity Provider (IdP).
While Citrix did not disclose too much information on the incident, the National Security Agency (NSA) shared that a state-sponsored APT group called APT5 (aka UNC2630 and MANGANESE) are responsible and actively exploits this vulnerability in attacks. APT5 is believed to be a Chinese state-sponsored hacking group that is notorious for utilizing zero-day vulnerabilities in VPN devices to gain unauthorized remote access and steal data.
Remediation
If your Citrix ADC and Gateway applications are the affected versions mentioned above, Citrix recommends updating these applications to the latest versions as soon as possible. The URLs below will guide to the updated installers:
Citrix ADC – https://www.citrix.com/downloads/citrix-adc/
Citrix Gateway – https://www.citrix.com/downloads/citrix-gateway/
Additionally, to confirm which SAML the applications are currently using, the ns.conf file can be inspected for the following line:
add authentication samlAction – SAML SP configuration
add authentication samlIdPProfile – SAML IdP configuration
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Critical zero-day vulnerability affects Citrix.pdf
References
Toulas, B (2022, December 13). Hackers exploit critical Citrix ADC and Gateway zero day, patch now. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-citrix-adc-and-gateway-zero-day-patch-now/
Lefkowitz, P. (2022, December 13). Critical security update now available for Citrix ADC, Citrix Gateway. Retrieved from Citrix Blogs. https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518. (2022, December 13). Retrieved from Citrix Support Knowledge Center. https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518