Threat Response – Critical vulnerabilities in Citrix Gateway and Citrix ADC

09-11-2022

A SAFE DIGITAL JOURNEY

On the 8th of November Citrix announced that three vulnerabilities in Citrix Gateway and ADC had been solved with an update [1]. Northwave advises to install the update as soon as possible. With these vulnerabilities malicious actors could bypass authentication, security measures or use brute-force methods to gain access to user environments. The vulnerability with ID CVE-2022-27510 makes it possible to bypass authentication remotely, which means that a malicious actor could get access to the Citrix environment and possibly also the applications running on it. A pre-condition for this vulnerability is that the appliance must be configured as a Gateway and the SSL VPN functionality is used or if the system is configured as ICA proxy with authentication.

Since these vulnerabilities could have a big impact Northwave would like to warn you and advise you on actions to take to mitigate the risk of these vulnerabilities.

Description

Citrix Gateway is an on-premise solution for remote access of applications and resources [2]. Citrix ADC is an Application Delivery Controller which can be used to monitor and manage application delivery. It gives insight in details of the ADC infrastructure like application performance, health and security [3].

The following versions of Citrix Gateway and Citrix ADC are vulnerable:

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 13.0  before 13.0-88.12
  • Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

Impact 

Since these vulnerabilities make it possible for a malicious actor to access Citrix environments and possibly the applications running in these environments unauthorized, Northwave assumes that (future) exploitation of these vulnerabilities will have a high impact. At this time there are no indications that the vulnerabilities are actively exploited according to the National Cyber Security Center of The Netherlands [4]. Because the information regarding these vulnerabilities is now publicly available Northwave expects that these vulnerabilities might be actively exploited in the future.

 

Risk

Northwave estimates the risk of these vulnerabilities as high, because of the popularity of these Citrix solutions and the widespread usage of this software. The main risk is that a malicious actor could gain unauthorized access to and leak sensitive information. There is also a possibility to gain local admin/root rights by using privilege escalation [4].

Mitigation

Citrix has released an update for the vulnerabilities on November 8th [1]. Northwave advises users which use the vulnerable versions of Citrix Gateway and Citrix ADC to update to the following versions as soon as possible:

  • Citrix ADC and Citrix Gateway 13.1-33.47 or newer
  • Citrix ADC and Citrix Gateway 13.0-88.12 or newer versions of 13.0 
  • Citrix ADC and Citrix Gateway 12.1-65.21 or newer versions of 12.1 
  • Citrix ADC 12.1-FIPS 12.1-55.289 or newer versions of 12.1-FIPS 
  • Citrix ADC 12.1-NDcPP 12.1-55.289 or newer versions of 12.1-NDcPP

What should you do?

Northwave advises to update Citrix Gateway and Citrix ADC to one of the versions mentioned above as soon as possible if you use a vulnerable version of the software.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. We will also investigate whether any additional action can be taken based upon available information within our monitoring services.

You can call us by phone or send us an email if you would like additional information.

Phone number: +31 (0)30-303 1244 (during business hours)

E-mail: [email protected]

Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

 

Disclaimer applies, see below.

 

Sources

[1]: Citrix – https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516

[2]: Citrix – https://www.citrix.com/en-gb/products/citrix-gateway/

[3]: Citrix – https://www.citrix.com/en-gb/products/citrix-adc/

[4]: NCSC – https://advisories.ncsc.nl/advisory?id=NCSC-2022-0701

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.