Citrix urges administrators to apply security updates for zero-day “critical” vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is being actively exploited by state-sponsored hackers to gain access to networks of business.

This new vulnerability allows an unauthenticated attacker to execute remote commands on vulnerable devices and take control of them.

Citrix warns administrators to install the latest update “as soon as possible” as the vulnerability is being actively exploited in attacks.

“We are aware of a small number of targeted attacks in the wild using this vulnerability,” Citrix mentions in the security update accompaniement the board.

“Customers using an affected release with a SAML SP or IdP configuration are urged to immediately install the recommended releases as this vulnerability has been identified as critical. No workaround is available for this vulnerability.” -Citrix.

The vulnerability affects the following versions of Citrix ADC and Citrix Gateway:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

The above versions are only affected if the appliances are configured as SAML SPs (SAML service provider) or SAML identity provider (SAML identity provider).

Administrators can determine how the device is configured by inspecting the “ns.conf” file for the following two commands:

add samlAction authentication
add samlIdPProfile authentication

Administrators should immediately update their devices if the above configuration operations are found.

Citrix ADC and Citrix Gateway version 13.1 are not affected by CVE-2022-27518, so upgrading to it resolves the security issue.

It is recommended that those using older versions upgrade to the latest version available for branch 12.0 ( or 13.0 (

Additionally, Citrix ADC FIPS and Citrix ADC NDcPP must be upgraded to versions 12.1-55.291 or later.

Those using Citrix-managed cloud services don’t need to do anything, as the provider has already taken the appropriate corrective actions.

In addition, system administrators are advised to consult Citrix “Best Practices” for ADC appliances and implement vendor security recommendations.

Exploited by state-sponsored hackers

Although Citrix did not share any details on how this new bug is abused, the NSA did share that state-sponsored APT5 hackers (aka UNC2630 and MANGANESE) are actively exploiting the vulnerability in attacks.

“Active exploitation of Citrix devices underway by APT5. @NSACyber ​​threat hunting tips linked below to identify and remediate this activity,” whistled NSA Cybersecurity Director Rob Joyce.

In a coordinated disclosure, the NSA released a “APT5: Citrix ADC Threat Hunting Guidenotice with information on detecting if a device has been exploited and guidance on securing Citrix ADC and Gateway devices.

“APT5 has demonstrated its capabilities against Citrix® Application Delivery Controller™ (ADC™) (“Citrix ADC”) deployments. Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by circumventing normal authentication controls,” says the NSA Notice published today.

“As such, the NSA, in conjunction with partners, has developed this Threat Hunting Guide to provide the steps organizations can take to search for possible artifacts of this type of activity. Please note that this guide does not represent all of the techniques, tactics, or procedures (TTPs) that actors may employ when targeting these environments” – National Security Agency

APT5 is believed to be a Chinese state-sponsored hacking group known to use zero days in VPN devices to gain initial access and steal sensitive data.

In 2021, APT5 used zero-day in Pulse Secure VPN devices to breach the US Defense Industrial Base (DIB) networks.

Although APT5 is currently the only known threat actor abusing the vulnerability, now that it’s been disclosed, we’ll likely see other groups start using it soon.

Hackers have exploited similar security issues in the past in attacks that led to initial access to corporate networks, ransomware, and data theft.

In 2019, a remote code execution flaw tracked as CVE-2019-19781 was discovered in Citrix ADC and Citrix Gateway and was soon targeted by ransomware operations (1, 2), State-supported APTsopportunistic attackers who used mitigation bypassesand more.

Exploitation has become so widely abused that the Dutch government has advised companies to turn off their Citrix ADC and Citrix Gateway devices until administrators can apply security updates.


Source link