Critical flaws found in thousands of Citrix servers are easily patched

Two critical security vulnerabilities that were discovered by the vendor in recent months make thousands of Citrix Gateway and ADC deployments vulnerable.

was fixed November 8. This is an authentication bypass and affects both Citrix products. It could be used by an attacker to gain unauthorized access to the device or perform remote desktop takeover.

This second bug, was disclosed on December 13 and fixed by the team. This allows remote execution of commands on vulnerable devices by unauthenticated attackers. They can also take control.

Citrix released a security update that corrected CVE-2022-257518. Threat actors were already exploiting CVE-2022-257518.

Researchers at NCC Group’s Fox IT Team report today that although most Citrix public-facing endpoints are now updated to safe versions, .

Finding vulnerable versions

Fox IT analysts searched the internet on November 11th 2022 and discovered a total 28,000 Citrix servers.

Researchers needed to determine which versions of these vulnerable ones were exposed in order to figure out how many. This information was not provided by the HTTP response.

However, responses contained MD5-like parameters which could be used to match them with Citrix ADC or Gateway products versions.

Hash in the index.htm

(Fox It)

The team then downloaded all Citrix ADC version they could find from Citrix and Google Cloud Marketplace. They also deployed them on Azure on VMs.

Linking hashes to versions

(Fox It)

Researchers used the source versions to match the hashes, and then determined the date of the build.

Correlating build dates to hashes

(Fox It)

This reduced the amount of unreleased versions (orphan hashes), however, in general most hashes were coupled with specific product versions.

Citrix Servers are at Risk – Thousands

These final results can be summarized as the graph below. They indicate that the majority of users are on version 13.0-88.14.14. This is unchanged by security concerns.

Citrix server versions

(Fox It)

It was the second-most popular version, 12.1-65.21, which is vulnerable to CVE-2022-227518 under certain conditions. This was run on 3,500 endpoints.

These machines must be exploitable by SAML SP and IdP configurations. This means that not all 3500 systems are vulnerable to CVE-2022-227518.

There are approximately 1,000 endpoints that could be vulnerable to CVE-2022/27510, and over 1000 servers.

Third place is occupied by detections of return hashes with unidentified Citrix versions numbers. This number includes over 3,500 servers which could be susceptible to any flaw.

Concerning patching speed: The United States of America, Canada, Australia and Switzerland quickly responded to security advisory publication.

Patching speed of each country

(Fox It)

Fox IT hopes that its blog will raise awareness about Citrix administrators still to implement security updates due to recent critical flaws. The statistics show there is much more work to do to eliminate all security holes.