In a security bulletin on November 08, 2022, Citrix warned its customers using Citrix ADC and Citrix Gateway to install updates to patch three vulnerabilities, one of which was assessed as critical. The three vulnerabilities could allow attackers to bypass login brute force protection, perform remote desktop takeover, or get unauthorized access to the device, depending on the Citrix devices’ configuration.
What are the New Citrix Vulnerabilities?
Citrix Gateway and Citrix ADC are both susceptible to the following vulnerabilities:
- CVE-2022-27510: A critical vulnerability that allows authentication to be bypassed via a different path or channel that threat actors can only exploit if the appliance is set up as a VPN.
- CVE-2022-27513: Insufficient verification of data authenticity permits remote desktop takeover using phishing. The vulnerability is exploitable only when the appliance is set up as a VPN (Gateway) and the RDP proxy feature is enabled.
- CVE-2022-27516: The login brute-force protection mechanism can fail and be bypassed by threat actors. To exploit this vulnerability, the appliance must be set up as a VPN (Gateway) or AAA virtual server with the “Max Login Attempts” configuration.
How Critical are the Vulnerabilities?
So far, only one of the vulnerabilities was assessed as critical. Still, there is no official rating for CVE-2022-27513 and CVE-2022-27516 either in the company’s security bulletin or on the Mitre CVE website.
Which Versions and Products are Vulnerable?
- Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 before 220.127.116.11
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
Citrix bulletin states that customers who use cloud services managed by Citrix don’t need to do anything. These vulnerabilities only affect customer-managed Citrix ADC and Citrix Gateway appliances.
How Do the Vulnerabilities Work?
These vulnerabilities only work if the conditions mentioned above are satisfied.
Are the Vulnerabilities Actively Exploited in the Wild?
The security bulletin does not mention any exploitation in the wild.
Is There Any Exploit Code for the Vulnerabilities?
The security bulletin does not mention any exploitation in the wild. Therefore there is no known code for exploitations.
Is There Any Mitigation or Patch Available?
It is advised that affected Citrix ADC and Citrix Gateway users install the pertinent upgraded versions of those products as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
- Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
How Can SOCRadar Help?
SOCRadar Free Edition allows you to find whether your data is exposed to threat actors and protect/find the risks in your digital assets. In the case of the latest Citrix vulnerability, SOCRadar discovered the vulnerability with the passive scan feature that continuously scans your open internet environment. Furthermore, SOCRadar informs you of the criticality according to the CWE record and pushes an alarm to warn you. If you want to learn more about SOCRadar’s abilities, sign up for the SOCRadar Free Edition now by clicking on the image below!