Citrix Application Delivery Controller (ADC) and Citrix Gateway Arbitrary Code Execution Vulnerability (CVE-2022-27518)

Citrix has released patches for an actively exploited zero-day vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway. Tracked as CVE-2022-27518, this critical vulnerability could allow arbitrary code execution on the vulnerable system on successful exploitation. 
 
Citrix states in the blog, “We are aware of a small number of targeted attacks in the wild using this vulnerability.” 
 
Citrix Gateway unifies remote access infrastructure to offer single sign-on for all applications, whether hosted in a data center, the cloud, or provided as SaaS apps. Through a single URL, anyone can access any app on any device.  
  
Citrix ADC is a delivery and load-balancing solution for monolithic and microservices-based applications. This application provides uninterrupted availability and optimal performance. 
 
Description 
CVE-2022-27518 is an unauthenticated remote arbitrary code execution that affects multiple versions of Citrix Gateway and Citrix ADC. If Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP, then only this vulnerability will exist in the affected versions.  
 
Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not required to take any action regarding this vulnerability.  
 
Prerequisite check 
Customers can check if their Citrix Gateway or Citrix ADC is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file. The following command can be used for this:

  • add authentication samlAction – Appliance is configured as a SAML SP  
  • add authentication samlIdPProfile – Appliance is configured as a SAML IdP 

If either of the commands is present in the ns.conf file and the version is in the list of affected versions, then the appliance must be updated.  
 
Affected versions  

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32  
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 
  • Citrix ADC 12.1-FIPS before 12.1-55.291  
  • Citrix ADC 12.1-NDcPP before 12.1-55.291 

NOTE: Citrix ADC and Citrix Gateway version 13.1 is unaffected.  
 
Mitigation 
Citrix recommends users upgrade to fixed versions: 

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases  
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1  
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS   
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP 

For more information, please refer to the Citrix Security Bulletin 
 
The advisory states, “Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL, and customers on those versions are recommended to upgrade to one of the supported versions.” 
 
Qualys Detection  
Qualys customers can scan their devices with QIDs 377825 and 730712 to detect vulnerable assets.  
 
Note: The QID only supports Citrix ADC and Citrix Gateway. 
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/  
https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518

Leave a Reply

Your email address will not be published. Required fields are marked *