Unauthenticated Remote Code Execution in Citrix ADC and Citrix Gateway
A vulnerability (CVE-2022-27518) in Citrix ADC and Citrix Gateway has been discovered. If exploited it can allow an unauthenticated attacker to perform arbitrary code execution.
The Citrix ADC or Gateway appliance must be configured as a SAML SP or a SAML IdP to be affected.
Citrix has advised that there is small number of targeted attacks in the wild, using this vulnerability.
Citrix Application Delivery Controller and Gateway
The following systems are unaffected:
- Citrix Application Delivery Management (ADM).
- Citrix SD-WAN.
- Citrix Managed Cloud Services.
- Citrix Managed Adaptive Authentication.
What to look for
How to tell if you're at risk
If you are running an affected version of Citrix ADC and Citrix Gateway and using SAML Authentication you are at risk.
The affected versions are:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
To check if you are using SAML, inspect the ns.conf file for the following commands:
add authentication samlAction
add authentication samlIdPProfile
How to tell if you're affected
The NSA has released threat hunting guidance to help determine if you have been affected by this vulnerability.
CSA: APT5: Citrix ADC Threat Hunting Guidance:
What to do
Update Citrix ADC and Gateway appliances to the latest versions:
- Citrix ADC and Citrix Gateway 13.0-58.32 and later releases.
- Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1.
- Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS.
- Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP.
Citrix Security Bulletin
NSA CSA: APT5: Citrix ADC Threat Hunting Guidance
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.