Threat Response:Critical vulnerability in Citrix Gateway and Citrix ADC

14-12-2022

A SAFE DIGITAL JOURNEY
On the 13th of December, Citrix resolved a vulnerability in the Citrix Gateway and Citrix ADC[1]. Northwave recommends to install the update as soon as possible. The vulnerability is tracked under CVE-2022-27518 and has not received a CVSSv3.1 score at the time of writing. The vulnerability allows unauthenticated remote attackers to perform arbitrary code execution on the appliance. This only applies to customer-managed Citrix Gateway and Citrix ADC appliances and not the Citrix-managed cloud services or Citrix-managed Adaptive Authentication. NCSC-NL is tracking this vulnerability under NCSC-2022-0767[3].
Since these vulnerabilities could have a big impact, Northwave would like to warn you and advise you on actions to take to mitigate the risk of the vulnerability.
Description
The Citrix Gateway consolidates remote access infrastructure to provide single sign-on across all applications whether in a data center, in a cloud, or if the applications are delivered as Software-as-a-Service (SaaS) applications. It allows people to access any application, from any device, through a single URL.
The following supported versions of the Citrix Gateway and Citrix ADC are vulnerable, where the Citrix Gateway or Citrix ADC must be configured as a SAML SP or a SAML IdP:
  • Citrix Gateway and Citrix ADC 13.0 before 13.0-58.32
  • Citrix Gateway and Citrix ADC 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291
Citrix Gateway and Citrix ADC version 13.1 is unaffected. Please note that the Citrix Gateway and Citrix ADC versions prior to 12.1 are End-of-life and customers on those versions are recommended to upgrade to one of the supported versions.
Impact
Since these vulnerabilities make it possible for an attacker to gain unauthenticated access to the Citrix Gateway and Citrix ADC and execute arbitrary code, Northwave assumes that exploitation of these vulnerabilities will have a high impact.
Risk
Northwave estimates the risk of these vulnerabilities as high, because of the popularity of these Citrix Gateway and Citrix ADC and the widespread usage of these appliances. The main risk is that an attacker could gain unauthenticated access to the systems and execute arbitrary code. At this time there are indications that the vulnerabilities are actively exploited on small scale according to Citrix[2]. Because the information regarding these vulnerabilities is now publicly available and active exploitation was confirmed by Citrix, Northwave expects Proof-of-Concept exploit code for this vulnerability will be published soon.
Mitigation
Citrix has released an update for the vulnerabilities on December 13th. Northwave advises users which use the vulnerable versions of the Citrix Gateway and Citrix ADC and are configured as a SAML SP or a SAML IdP to update to the following versions as soon as possible:
  • Citrix Gateway and Citrix ADC 13.0 before 13.0-58.32
  • Citrix Gateway and Citrix ADC 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291
What should you do?
Northwave recommends to update the Citrix Gateway and Citrix ADC to one of the versions mentioned above as soon as possible if you use a vulnerable version of the software.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909
Disclaimer applies, see below.
Sources

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.