Today, Citrix has released a critical security update to address a zero-day vulnerability. Upon a successful exploitation, an unauthenticated remote attacker could perform code execution leading to system takeover. Both Citrix and the NSA stated they are aware of targeted attacks in the wild. Barracuda MSP recommends patching affected Citrix products as soon as possible to address this vulnerability.
What is the threat?
This critical vulnerability, tracked as CVE-2022-27518, affects versions of Citrix ADC and Citrix Gateway and could lead to unauthenticated remote arbitrary code execution. Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP to be exploited.
Why is it noteworthy?
Similar to the recent Fortinet vulnerability disclosed, the affected Citrix appliances are used by companies to secure their networks. Any out-of-date ADC or Gateway that is configured as a SAML SP or IdP is currently unprotected against this vulnerability, allowing unauthenticated malicious actors to gain system access.
Additionally, the NSA released an advisory reporting that state-sponsored hackers are actively exploiting this vulnerability to gain access to corporate networks.
What is the exposure or risk?
When exploited, this security flaw could lead to unauthenticated and unauthorized remote code execution. Malicious code or commands can be executed and allow a threat actor to take over a system.
The following versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
To be vulnerable, the system must be configured as a SAML SP or a SAML IdP. Organizations can determine if their Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file for the following commands:
- Add authentication samlAction
- Appliance is configured as a SAML SP
- Add authentication samlIdPProfile
- Appliance is configured as a SAML IdP
If either of the commands are present in the ns.conf file and if the version is an affected version, then the appliance must be updated.
What are the recommendations?
Barracuda MSP recommends the following actions to protect against this vulnerability:
- Immediately update to the latest mitigated version if running an affected version of Citrix ADC or Citrix Gateway.
- Citrix has provided a video walkthrough of how to remediate the vulnerability.
- Implement best practices for Citrix ADC, such as moving all instances behind a VPN that requires user authentication prior to being able to access the ADC.
- Review the NSA Threat Hunting Guidance to check for Indicators of Compromise (IOCs).
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
- https://docs.citrix.com/en-us/citrix-adc-secure-deployment.html
- https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-citrix-adc-and-gateway-zero-day-patch-now/
- https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27518
If you have any questions, please contact our Security Operations Center.
