Citrix urges administrators to update security patches for a ‘Critical’ zero-day vulnerability in Citrix ADC or Gateway. This vulnerability is being actively exploited to allow state-sponsored hackers access corporate networks.
Unauthenticated attackers can now remotely execute commands on the vulnerable devices to take over their control.
Citrix warns administrators to update the software as soon as they can, as this vulnerability has been used in an attack.
Citrix mentions that “we are aware of some targeted attacks in nature using this vulnerability,” in the , which is included with .
Customers who have an affected build that uses a SAML SP configuration or IdP configuration should immediately install the recommended builds. This vulnerability is critical. This vulnerability does not have a workaround. – Citrix.
This vulnerability affects the Citrix Gateway and Citrix ADC versions:
- Citrix ADC & Citrix Gateway before 13.0-58.32
- Citrix ADC & Citrix Gateway 12.1 Before 12.1-65.25
- Citrix ADC 1.2.1-FIPS prior to 12.1-55.291
- Citrix ADC 1.2.1-NDcPP Before 12.1-55.291
These versions will only be affected if appliances are set up as either a SAML SP ( SAML provider), or a SAML IDP ( SAML provider).
Administrators will be able to determine the configuration of the device by looking at the file “ns.conf”. The following commands can also be used:
add authentication samlAction
add authentication samlIdPProfile
Administrators are advised to immediately upgrade their devices in the event of any of these configuration operations.
Citrix ADC version 1.3.1 and Citrix gateway 13.1 are unaffected by CVE-2022-257518. Therefore, upgrading to them solves this security issue.
It is recommended that older versions be upgraded to the most current build (188.8.131.52) and 13.0 branches (184.108.40.206).
Citrix ADAC FIPS and Citrix NDcPP must be upgraded to version 12.1-55.291.
Citrix cloud service users don’t need to do anything, since the vendor already took the necessary remediation steps.
System administrators are encouraged to review regarding ADC appliances, and follow the vendor’s security recommendations.
State-sponsored hackers exploited
Citrix did not share any information about the new bug, but the NSA shared the fact that state-sponsored APT5 hackers (aka UNC2630 or MANGANESE), are actively exploiting this vulnerability in attacks.
APT5 is assisting in the active exploitation of Citrix devices. “Active exploitation Citrix devices underway by APT5.,” NSA cybersecurity chief Rob Joyce.
The NSA released ” ” as a coordinated disclosure. It contains information about how to detect if a device is being exploited, and also tips for securing Citrix ADC devices and Gateway devices.
Citrix(r), Application Delivery Controller(tm), (ADC(tm),) deployments. “Citrix ADCs have been demonstrated to be capable of defending APT5,” said the APT5 spokesperson. The today states that Citrix ADCs could be used to allow illegitimate access for targeted organisations by bypassing standard authentication controls.
“The NSA has created this threat hunting guide in cooperation with its partners to help organizations identify possible artifacts associated with this kind of activity. This guidance is not intended to cover all possible tactics or procedures that actors might use in targeting such environments.
APT5 may be an alleged Chinese-sponsored hacking organization that uses zero-days VPN devices to get initial access to sensitive data and to steal it.
to break into US Defense Industrial base networks (DIB).
Although APT5 remains the most known threat actor using the vulnerability at the moment, it will be used by other organizations soon.
In the past, hackers used similar security problems to attack corporate networks and ransomware to steal data.
CVE-2019-197781, which is a remote code execution flaw, was found in Citrix ADC, Citrix Gateway, and became quickly targeted (1), (2), state-supported APTs and opportunistic hackers that utilized mitigation bypasses and many more.
Exploitation was so widespread that not to use their Citrix ADC or Citrix Gateway until security updates could be applied by admins.