WARNING: REMOTE CODE EXECUTION VULNERABILITY IN CITRIX APPLICATION DELIVERY CONTROLLER (ADC) AND GATEWAY
CVE-2022-27518 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Citrix released a security update on December 14, 2022 for a critical zero-day vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is actively exploited.
The vulnerability can be exploited by unauthenticated threat actors to execute commands remotely on vulnerable devices and to take control over them, by bypassing normal authentication controls.
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IDP configuration, contain an authentication bypass vulnerability which allows an attacker to remotely execute code as administrator.
Common attack patterns are:
- Abuse Elevation Control Mechanism;
- Application Access Toke;
- Access Token Manipulation;
- Web Shell;
Citrix's Application Delivery Controller (ADC) and Gateway products versions 12.1 (including FIPS and NDcPP), and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with an SAML SP or IdP configuration to be affected.
The US National Security Agency (NSA) has released a Threat Hunting Guidance about state-sponsored APT5 hackers (similar to UNC2630 and MANGANESE) that are actively exploiting the vulnerability in attacks.
To address the issue, Citrix has released a security update, recommending to upgrade to the latest available build for the 12.0 (220.127.116.11) or 13.0 branch (18.104.22.168), or to the 13.1 version, which is not affected.
The CCB recommends system administrators patch vulnerable systems as soon as possible, analyze system and network logs for any suspicious activity, and perform a threat hunt in your infrastructure to make sure it’s not already compromised. See the NSA guidance.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident