Citrix urges administrators to apply security updates for zero-day “critical” vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is being actively exploited by state-sponsored hackers to gain access to networks of business.
This new vulnerability allows an unauthenticated attacker to execute remote commands on vulnerable devices and take control of them.
Citrix warns administrators to install the latest update “as soon as possible” as the vulnerability is being actively exploited in attacks.
The vulnerability affects the following versions of Citrix ADC and Citrix Gateway:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
The above versions are only affected if the appliances are configured as SAML SPs (SAML service provider) or SAML identity provider (SAML identity provider).
Administrators can determine how the device is configured by inspecting the “ns.conf” file for the following two commands:
Administrators should immediately update their devices if the above configuration operations are found.
Citrix ADC and Citrix Gateway version 13.1 are not affected by CVE-2022-27518, so upgrading to it resolves the security issue.
It is recommended that those using older versions upgrade to the latest version available for branch 12.0 (22.214.171.124) or 13.0 (126.96.36.199).
Additionally, Citrix ADC FIPS and Citrix ADC NDcPP must be upgraded to versions 12.1-55.291 or later.
Those using Citrix-managed cloud services don’t need to do anything, as the provider has already taken the appropriate corrective actions.
In addition, system administrators are advised to consult Citrix “Best Practices” for ADC appliances and implement vendor security recommendations.
Exploited by state-sponsored hackers
Although Citrix did not share any details on how this new bug is abused, the NSA did share that state-sponsored APT5 hackers (aka UNC2630 and MANGANESE) are actively exploiting the vulnerability in attacks.
“Active exploitation of Citrix devices underway by APT5. @NSACyber threat hunting tips linked below to identify and remediate this activity,” whistled NSA Cybersecurity Director Rob Joyce.
In a coordinated disclosure, the NSA released a “APT5: Citrix ADC Threat Hunting Guidenotice with information on detecting if a device has been exploited and guidance on securing Citrix ADC and Gateway devices.
“APT5 has demonstrated its capabilities against Citrix® Application Delivery Controller™ (ADC™) (“Citrix ADC”) deployments. Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by circumventing normal authentication controls,” says the NSA Notice published today.
APT5 is believed to be a Chinese state-sponsored hacking group known to use zero days in VPN devices to gain initial access and steal sensitive data.
In 2021, APT5 used zero-day in Pulse Secure VPN devices to breach the US Defense Industrial Base (DIB) networks.
Although APT5 is currently the only known threat actor abusing the vulnerability, now that it’s been disclosed, we’ll likely see other groups start using it soon.
Hackers have exploited similar security issues in the past in attacks that led to initial access to corporate networks, ransomware, and data theft.
In 2019, a remote code execution flaw tracked as CVE-2019-19781 was discovered in Citrix ADC and Citrix Gateway and was soon targeted by ransomware operations (1, 2), State-supported APTsopportunistic attackers who used mitigation bypassesand more.
Exploitation has become so widely abused that the Dutch government has advised companies to turn off their Citrix ADC and Citrix Gateway devices until administrators can apply security updates.