Citrix has released patches for multiple vulnerabilities in Citrix Gateway and ADC (CVE-2022-27510, CVE-2022-27513, and CVE-2022-27516). These vulnerabilities can be exploited by an attacker to gain unauthorized access to the device, take over remote desktops, or bypass the login brute force protection.
Citrix Gateway unifies remote access infrastructure to offer single sign-on for all applications, regardless of whether they are hosted in a data center, the cloud, or are offered as SaaS apps. Through a single URL, anyone can access any app on any device.
Citrix ADC is a delivery and load-balancing solution for monolithic and microservices-based applications. This application provides uninterrupted availability and optimal performance.
CVE-2022-27510
The prerequisite for this vulnerability is that the appliance must be configured as a VPN (Gateway). An attacker can exploit this authentication bypass vulnerability via an alternative path or channel. On successful exploitation, an attacker could get unauthorized access to Gateway user capabilities.
Citrix emphasized that only appliances that are used as a gateway (appliances that are configured as ICA proxies with authentication enabled or that use the SSL VPN feature) are affected by this vulnerability.
CVE-2022-27513
The prerequisites for this vulnerability are:
- The appliance must be configured as a VPN (Gateway)
- The RDP proxy functionality must be configured
An attacker can use phishing attempts to exploit this insufficient Verification of Data Authenticity vulnerability. On successful exploitation, an attacker could gain control of a remote workstation.
CVE-2022-27516
The prerequisites for this vulnerability are:
- The appliance must be configured as a VPN (Gateway) OR AAA virtual server
- The user lockout functionality “Max Login Attempts” must be configured
This is a user login brute force protection functionality bypass vulnerability. On successful exploitation, an attacker can cause protection mechanism failure of the affected system.
Affected versions
- Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
Mitigation
Customers are advised to upgrade to the following versions to mitigate the vulnerabilities:
- Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
- Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
For more information, please refer to the Citrix Security Bulletin.
Qualys Detection
Qualys customers can scan their devices with QIDs 377751 and 730713to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://securityaffairs.co/wordpress/138264/security/citrix-gateway-adc-flaws.html
https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516