Citrix ADC and Gateway RCE Vulnerability (CVE-2022-27518)

Request an audit

December 15th 2022

Seasons Greetings from your resident spotit author, James! Apologies for the lack of content over the last couple of months, I’ve unfortunately been pre-occupied with some other things but as of today, normal service has resumed! 🥳

Citrix ADC/Citrix Gateway Unauthenticated RCE

Citrix has released security updates to patch a Critical severity vulnerability in Citrix ADC and Citrix Gateway. This vulnerability can allow an unauthenticated attacker to execute commands remotely and is being actively exploited in-the-wild by APT5/UNC2630/MANGANESE as confirmed by the NSA.

CVE-2022-27518 is a 9.8 (Critical) severity vulnerability. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Citrix said:

We are aware of a small number of targeted attacks in the wild using this vulnerability…

Customers who are using an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.

Vulnerable version of Citrix ADC and Citrix Gateway are as follows:

Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
Citrix ADC 12.1-FIPS before 12.1-55.291
Citrix ADC 12.1-NDcPP before 12.1-55.291

These versions are affected if the appliances are configured with SAML SP or SAML IdP. To confirm how the device is configured, admins should inspect ns.conf for the following commands:

add authentication samlAction
add authentication samlIdPProfile

Citrix ADC 13.1 and Citrix Gateway 13.1 (and later versions of both) are unaffected. Citrix-managed cloud services are already upgraded by Citrix.

Upgrades

Spotit recommends that users of the affected versions upgrade as follows:

Citrix ADC FIPS and Citrix ADC NDcPP should be upgraded to version 12.1-55.291 or later
Citrix ADC and Citrix Gateway 12.x should be upgraded to version 12.1.65.25 or 13.0.88.16/13.1.x.x

Spotit also recommends that users follow Citrix’s Best Practices for Secure Deployment of ADC appliances.

That’s all for now!

Services

IT security assessment

Security & network assessment

Ethical hacking

OT/IoT security assessment

Red & Blue Teaming

M365 assessment

Governance

Decision tree

GDPR assessment

ISO 27k assessment

Social engineering

Cybersecurity maturity assessment

Networking

Security & network assessment

OT/IoT network assessment

Identify

Managed services

Network Operations Centre (NOC)

Security Operations Centre (SOC)

Network as a Service (NaaS)

Security Governance

UBA

Governance

Chief Information Security Officer (CISO)

Information Security Officer (ISO)

Social engineering

Security awareness training

Information Protection & Governance

Security & networking optimization

High-level design

Wireless/wired networking

Network Virtualisation & Automation (SDN)

SD-WAN

Endpoint security

Prevent & protect

Managed services

Security Operations Center (SOC)

CSIRT

Network Operations Centre (NOC)

Network as a Service (NaaS)

Endpoint Detection & Response

Governance

Chief Information Security Officer (CISO)

Data Protection Officer (DPO)

Detect & respond

Managed services

Network Operations Centre (NOC)

Security Operations Centre (SOC)

Network as a Service (NaaS)

CISO as a Service

DPO as a Service

Governance

Chief Information Security Officer (CISO)

Data Protection Officer (DPO)

Recover

Citrix ADC and Gateway RCE Vulnerability (CVE-2022-27518)

December 15th 2022

Citrix ADC/Citrix Gateway Unauthenticated RCE

Upgrades

Ready to discuss your security needs?