Unauthenticated Remote Code Execution in Citrix ADC and Citrix Gateway

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

12:00pm, 14 December 2022

TLP Rating: Clear

Unauthenticated Remote Code Execution in Citrix ADC and Citrix Gateway

A vulnerability (CVE-2022-27518) in Citrix ADC and Citrix Gateway has been discovered. If exploited it can allow an unauthenticated attacker to perform arbitrary code execution.

The Citrix ADC or Gateway appliance must be configured as a SAML SP or a SAML IdP to be affected.

Citrix has advised that there is small number of targeted attacks in the wild, using this vulnerability.

What's happening

Systems affected

Citrix Application Delivery Controller and Gateway

The following systems are unaffected:

  • Citrix Application Delivery Management (ADM).
  • Citrix SD-WAN.
  • Citrix Managed Cloud Services.
  • Citrix Managed Adaptive Authentication.

What to look for

How to tell if you're at risk

If you are running an affected version of Citrix ADC and Citrix Gateway and using SAML Authentication you are at risk. 

The affected versions are:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 
  • Citrix ADC 12.1-FIPS before 12.1-55.291 
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

To check if you are using SAML, inspect the ns.conf file for the following commands:

add authentication samlAction

or

add authentication samlIdPProfile

How to tell if you're affected

The NSA has released threat hunting guidance to help determine if you have been affected by this vulnerability.

CSA: APT5: Citrix ADC Threat Hunting Guidance:

Cybersecurity Advisories & Guidance (nsa.gov) External Link

What to do

Prevention

Update Citrix ADC and Gateway appliances to the latest versions:

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases.
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1.
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS.
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP.

More information

Citrix Security Bulletin

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 External Link  

NSA CSA: APT5: Citrix ADC Threat Hunting Guidance

Cybersecurity Advisories & Guidance (nsa.gov) External Link

 

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

 

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384