Citrix ADC and Gateway Zero-Day Vulnerability - CVE-2022-27518

THE THREAT

On December 13th, 2022, Citrix released a patch for vulnerable versions of Citrix ADC and Citrix Gateway products [1]. The vulnerability is tracked as CVE-2022-27518; Citrix describes it as an arbitrary code execution vulnerability. When CVE-2022-27518 is exploited, a threat actor could perform unauthenticated arbitrary code execution on the appliance. This vulnerability is being actively exploited in the wild in limited targeted attacks [4]; applying the available patches as soon as possible is highly recommended.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) will add plugins for this vulnerability when they become available
• The eSentire Threat Intelligence team is tracking this vulnerability for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches from Citrix if you are running one of the following vulnerable versions:
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291
• Verify if your Citrix ADC/Gateway is serving SAML SP or SAML IdP by inspecting the ns.conf file for the following lines:
  • add authentication samlAction
  • add authentication samlIdPProfile

Additional information

A vulnerability has been discovered in Citrix Gateway and Citrix ADC, tracked as CVE-2022-27518, that, if exploited, could allow an unauthenticated, remote attacker to perform arbitrary code execution on the appliance.

A pre-condition for this exploit to successfully impact an organization is that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP. The SAML IdP (Identity Provider) is a SAML entity deployed on the customer network. The IdP receives requests from the SAML SP and redirects users to a login page, where they must enter their credentials. The IdP authenticates these credentials with the active directory (external authentication server, such as LDAP) and then generates a SAML assertion sent to the SP.

As mentioned above, you can verify the impacted servers by inspecting your configuration files for the above lines. If either of the commands are present in the ns.conf file, the appliance must be updated if the version is affected.

Relevant updated versions of Citrix ADC or Citrix Gateway include:

• Citrix ADC and Citrix Gateway 13.0-58.32 and later releases
• Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
• Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS 
• Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP
• Citrix ADC and Citrix Gateway version 13.1 is unaffected. 

Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL, and customers on those versions are recommended to upgrade to one of the supported versions.

Citrix has notified users via their bulletin [2] and is providing technical assistance with this issue via your Citrix Technical Support contact. 

References:

[1] https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
[2] https://support.citrix.com/search/#/All%20Products?ct=Security%20Bulletins&searchText=&sortBy=Created%20date&pageIndex=1
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27518
[4] https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/