Thousands of Citrix ADC and Gateway deployments remain vulnerable to two critical-severity security issues that the vendor has addressed in recent months.

The first defect is CVE-2022-27510, corrected November 8. This is an authentication bypass that affects both Citrix products. An attacker could exploit it to gain unauthorized access to the device, perform a remote desktop takeover, or bypass brute-force login protection.

The second bug is tracked as CVE-2022-27518disclosed and corrected on December 13. It allows unauthenticated attackers to execute remote commands on vulnerable devices and take control of them.

Threat actors were already exploiting CVE-2022-27518 when Citrix released a security update to fix it.

Today, researchers from NCC Group’s Fox IT team report that while most publicly available Citrix endpoints have been updated to a secure version, thousands of people remain vulnerable to attacks.

Find vulnerable versions

Fox IT analysts scanned the web on Nov. 11, 2022, and found a total of 28,000 Citrix servers online.

To determine how many of those exposed are vulnerable to both flaws, the researchers had to know their version number, which was not included in the servers’ HTTP response.

However, the responses contained MD5 hash type parameters that could be used to match them to Citrix ADC and Gateway product versions.

Therefore, the team downloaded and deployed all versions of Citrix ADC they could obtain from Citrix, Google Cloud Marketplace, AWS, and Azure to virtual machines and matched the hashes to the versions.

For hashes that could not be matched to the resulting versions, the researchers resorted to determining the build date and inferring their version number based on that.

This further reduced the number of unknown versions (orphan hashes), but in general most hashes had been paired with specific product versions.

Thousands of vulnerable Citrix servers

The final results are summarized in the following graph, indicating that as of December 28, 2022, the majority is on version 13.0-88.14, which is unaffected by the two security issues.

The second most popular version was 12.1-65.21, vulnerable to CVE-2022-27518 if certain conditions are met, worked on 3,500 endpoints.

The requirements for these machines to be exploitable call for the use of SAML SP or IdP configurations, meaning that not all 3,500 systems were vulnerable to CVE-2022-27518.

Then there are over 1,000 servers vulnerable to CVE-2022-27510 and around 3,000 endpoints potentially vulnerable to the two critical bugs.

Detections that return hashes with unknown Citrix version numbers come third, counting more than 3,500 servers, which may or may not be vulnerable to either flaw.

Regarding the timeliness of patches, the United States, Germany, Canada, Australia, and Switzerland reacted quickly to the publication of the relevant security advisories.

Fox’s IT team hopes its blog will help raise awareness among Citrix administrators who have yet to apply security updates for recent critical flaws, with stats highlighting that there is still a lot of work to be done to close. all security vulnerabilities.