Multiple vulnerabilities in Citrix Gateway and ADC

This live blog contains information regarding multiple vulnerabilities in Citrix Gateway and ADC. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on November 10, 2022.

Update November 10, 2022

14:00 | On the 8th of November 2022, Citrix has published a security bulletin describing three different vulnerabilities in the Citrix Gateway and Citrix ADC. In order to exploit the vulnerabilities, the system must be configured as a gateway using the SSL VPN functionality or configured as an ICA proxy with authentication.

The most severe vulnerability, registered as CVE-2022-27510, allows an attacker to bypass authentication. This gives the attacker access to the user capabilities provided by the gateway. The other two vulnerabilities are registered as CVE-2022-27513 and CVE-2022-27516. Currently, there are no reports on exploitation in the wild and there is no known proof-of-concept code publicly available.

Citrix has published security updates for supported platforms to mitigate the vulnerabilities. It is highly recommended to apply these updates as soon as possible. Customers using Citrix-managed cloud services do not need to take any action.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential Risk

In the security bulletin published by Citrix a total of three vulnerabilities are described. The three vulnerabilities can enable attackers to gain unauthorized access to the system, perform remote desktop takeover, or bypass the login brute force protection. The impact of a successful compromise strongly depends on the applications accessed via the Citrix Solution.

Currently, there are no reports on exploitation in the wild and there is no known proof-of-concept code publicly available.

Detail info

Citrix has published a security bulletin describing three vulnerabilities in the Citrix Gateway and Citrix ADC. Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected. There is currently limited information regarding the vulnerabilities available.

An overview of the available information regarding the vulnerabilities can be found in the table below. At the moment of writing, no CVSS or EPSS scores are available.

CVE	Description	CWE	Affected Products	Pre-conditions
CVE-2022-27510	Unauthorized access to Gateway user capabilities	CWE-288: Authentication Bypass Using an Alternate Path or Channel	Citrix Gateway, Citrix ADC	Appliance must be configured as a VPN (Gateway)
CVE-2022-27513	Remote desktop takeover via phishing	CWE-345: Insufficient Verification of Data Authenticity	Citrix Gateway, Citrix ADC	Appliance must be configured as a VPN (Gateway) and the RDP proxy functionality must be configured
CVE-2022-27516	User login brute force protection functionality bypass	CWE-693: Protection Mechanism Failure	Citrix Gateway, Citrix ADC	Appliance must be configured as a VPN (Gateway) or AAA virtual server and the user lockout functionality “Max Login Attempts” must be configured

Table 1 – CVE details information on the 9^th of November 2022

The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:

Citrix ADC and Citrix Gateway 1 before 13.1-33.47
Citrix ADC and Citrix Gateway 0 before 13.0-88.12
Citrix ADC and Citrix Gateway 1 before 12.1.65.21
Citrix ADC 12.1-FIPS before 12.1-55.289
Citrix ADC 12.1-NDcPP before 12.1-55.289

Customers using Citrix-managed cloud services do not need to take any action. Customers with affected version of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:

Citrix ADC and Citrix Gateway 1-33.47 and later releases
Citrix ADC and Citrix Gateway 0-88.12 and later releases of 13.0
Citrix ADC and Citrix Gateway 1-65.21 and later releases of 12.1
Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP

Background

More information:

Citrix Security Bulletin – https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516
NCSC Advisory – https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0701

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.