Citrix Warns for New Zeroday Vulnerability Exploited in Wild

After Fortinet issued an emergency patch for critical security vulnerabilities in its FortiOS SSL-VPN product. Now, today Citrix released another emergency security update for its product Citrix ADC, Citrix Gateway.

A critical zero-day vulnerability identified as CVE-2022- 27518, has been fixed by the company which affects the following Citrix ADC and Citrix Gateway versions: 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with a SAML SP or IdP configuration to be affected.

This new vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control of them. Citrix noted that the vulnerability is actively exploited by state-sponsored hackers to gain access to corporate networks.

"Customers who are using an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately as this vulnerability has been identified as critical (CTX474995). No workarounds are available for this vulnerability."

"We are aware of a small number of targeted attacks in the wild using this vulnerability."

Affected Citrix ADC and Citrix Gateway

The vulnerability impacts the following versions of Citrix ADC and Citrix Gateway:

• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
• Citrix ADC 12.1-FIPS before 12.1-55.291
• Citrix ADC 12.1-NDcPP before 12.1-55.291

The above versions are impacted only if the appliances are configured as a SAML SP (SAML service provider) or SAML IdP (SAML identity provider).

An administrator can determine if its Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file for the following commands:

add authentication samlAction
add authentication samlIdPProfile

If any of the commands are present in the ns.conf file and the admin using an affected build, they should immediately apply the update.

CISA Security Advisory for Citrix ADC and Citrix Gateway  RCE

As Citrix strongly urges admins to apply security updates for this critical zero-day vulnerability, CISA encourages users and administrators to review Citrix's security bulletin and apply the necessary updates.

Additionally, CISA urges organizations to review NSA’s advisory APT5: Citrix ADC Threat Hunting Guidance for detection and mitigation guidance against tools employed by a malicious actor targeting vulnerable Citrix ADC systems.

"APT5 has demonstrated capabilities against Citrix® Application Delivery Controller™ (ADC™) deployments ("Citrix ADCs"). Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls," reads the NSA advisory released today.

APT5 is believed to be a Chinese state-sponsored hacking group known to utilize zero-days in VPN devices to gain initial access and steal sensitive data.