Citrix is urging users to apply updates addressing a critical authentication bypass vulnerability in Citrix Gateway and ADC.
Flaws in Citrix’s Gateway SSL VPN solution and Citrix ADC, an application delivery controller that analyzes, distributes and secures network traffic for web applications, have historically been leveraged by threat actors in attacks. This week, Citrix said the products contain an authentication bypass flaw (CVE-2022-27510), which could give attackers unauthorized access to Citrix Gateway user capabilities. Satnam Narang, senior staff research engineer with Tenable, said that the flaw “could be exploited by an attacker as an initial access vector into a network.”
Citrix's new security update for Gateway and ADC also addresses a flaw (CVE-2022-27513) stemming from insufficient verification of the authenticity of data that could allow attackers to remotely take over a desktop (via phishing), and a protection mechanism failure (CVE-2022-27516) that would allow attackers to bypass the user login brute force protection functionality.
“Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” according to the Citrix security advisory on Tuesday.
Impacted by the flaws are Citrix ADC and Citrix Gateway versions 13.1 before 13.1-33.47; 13.0 before 13.0-88.12; 12.1 before 188.8.131.52; and Citrix ADC 12.1-FIPS before 12.1-55.289 and 2.1-NDcPP before 12.1-55.289. Appliances operating as a Gateway (using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are impacted by these issues, according to Citrix.
Vulnerabilities in Citrix ADC and Gateway have been previously leveraged by various threat actors. In particular, threat actors have used a critical path traversal vulnerability (CVE-2019-19781), first disclosed in December 2019, in Citrix ADC in order to target organizations over the years. In 2021, the flaw was categorized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as one of the top routinely exploited vulnerabilities in 2020.
“CVE-2019-19781 has been leveraged by state-sponsored threat actors with ties to China and Iran, as part of ransomware attacks against various entities including the healthcare sector, and was recently included as part of an updated list of the top vulnerabilities exploited by the People’s Republic of China state-sponsored actors from early October,” said Narang in an analysis this week.
Jarosław Kamiński of Securitum was credited with discovering the flaws.