Citrix published a Security advisory on 13th Dec 2022 in which it disclosed a remote code execution vulnerability in Citrix ADC and Gateway Products. The flaw tracked under the identifiers CVE-2022-27518 rated Critical with CVSS scores of 9.8 out of 10 on the scale. The exploitation of these vulnerabilities would allow adversaries to perform remote code execution on the vulnerable versions of Citrix ADC and Gateway Products. According to the U.S. National Security Agency (NSA), a threat actor tracked as APT5 has been found actively exploiting this vulnerability in the wild. It is highly recommended that organizations that use a vulnerable build of Citrix ADC and Gateway Products with SAML SP or IdP configurations enabled should apply the patches as soon as they can. We created this post to let them know about how to fix CVE-2022-27518, a critical remote code execution vulnerability in Citrix ADC and Gateway products.
Table of Contents
A Short Note About Citrix ADC and Gateway Products:
Citrix ADC (previously known as NetScaler ADC) is a secure application delivery controller designed to provide high availability, performance, and security for virtual, cloud, and on-premises resources. It optimizes the delivery of applications with increased scalability and intelligence, including seamless integration into existing networks and cloud platforms. The product also provides advanced network security features, like single sign-on (SSO) and content switching. It also includes application acceleration capabilities with HTTP compression, caching, and optimization.
Citrix Gateway (formerly known as NetScaler Gateway) provides secure remote access to applications and desktops from any device. This includes secure web access, single sign-on (SSO), location awareness, and network access control. It also provides advanced security features such as two-factor authentication and user identity verification. It is designed to ensure that only authenticated users have access to the correct applications, with no need to install additional software on the device. The product helps organizations meet compliance requirements and protect corporate data from unauthorized access.
Citrix ADC and Gateway products work together to provide a complete solution for secure application delivery, remote access, and network security. They help organizations reduce complexity, simplify the deployment and management of applications, increase scalability, improve performance, and ensure user productivity with secure access to their applications from anywhere.
A threat actor is also known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, suspected of operating on behalf of Chinese interests. A security firm Mandiant has published details about various APT groups they found in their analysis on their blog. Mabduabt has listed more than 25 APT groups in its blog. We suggest bookmarking this page to see more updates about the APT groups.
Summary of CVE-2022-27518
This is a critical remote code execution vulnerability with a CVSS score of 9.8, which could be abused to execute remote codes on the vulnerable versions of Citrix ADC and Gateway Products. The vendor said they identified this vulnerability in their internal review. According to the vendor, to exploit the vulnerability, the appliance must be configured either as a SAML SP (Service Provider)or IdP (Identity Provider). Citrix said they are aware of the active exploitation of this flaw in the wild, so they decided to undisclosed the detailed technicalities about the CVE-2022-27518 vulnerability to protect customers from further attacks.
|Associated CVE ID||CVE-2022-27518|
|Description||A Critical Remote Code Execution Vulnerability in Citrix ADC and Gateway|
|Associated ZDI ID||–|
|CVSS Score||10.0 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
Citrix Products Affected by CVE-2022-27518
The vulnerability affects Citrix ADC and Citrix Gateway versions 12.1 before 12.1-65.25 and 13.0 before 13.0-58.32.
The flaw affects the following Citrix ADC and Citrix Gateway versions: 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with an SAML SP or IdP configuration to be affected.– Citirx
The following versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
Note: These flaws affect only on-premises physical or virtual appliances. Cloud services are completely safe from these flaws. Organizations using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
How to Fix CVE-2022-27518- A Critical Remote Code Execution Vulnerability in Citrix ADC and Gateway?
Citrix has released patched versions to address these vulnerabilities. We recommend that organizations that use a vulnerable build of Citrix ADC and Gateway Products with SAML SP or IdP configurations enabled should apply the patches as soon as they can. Please download the latest versions of Citrix ADC and Citrix Gateway to apply the patches. If you are trying to find the workarounds to take immediate action, there are no workarounds to fix CVE-2022-27518 except for disabling SAML authentication.
How to Verify SAML SP or a SAML IdP is Configured on the Citrix ADC or Citrix Gateway?
It is easy to verify your Citrix ADC or Citrix Gateway is configured as SAML Service Provider (SP) or Identity Provider (IdP). You need to search for either “add authentication samlaction” or “add authentication samlIdpProfile” in the ns.conf file. Check this KB to learn how to obtain the ns.conf file.
- If you see “add authentication samlaction” then your appliance is configured as a SAML Service Provider (SP.
- If you see “add authentication samlIdpProfile” then your appliance is configured as a SAML Identity Provider (IdP).
If you see any of the lines in the ns.conf file, then your Citrix ADC and Citrix Gateway are prone to attacks. You should update the patch.
Patched versions of Citrix ADC and Gateway Products:
- Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP
Note: Citrix ADC and Citrix Gateway versions prior to 12.1 are declared the end of life. No updates are released to these versions. Organizations using these obsolete versions are suggested to move to one of the supported versions. If you feel you need more support on this issue, please contact Citrix Technical Support.
How To Upgrade Citirx ADC?
There are different ways to upgrade Citrix ADC appliance. Please take a look at those here:
How To Upgrade Citirx Gateway?
There are different ways to upgrade Citrix Gateway appliance. Please take a look at those here:
We hope this post would help you know how to fix CVE-2022-27518, a critical remote code execution vulnerability in Citrix ADC and Gateway products. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.