This live blog contains information regarding multiple vulnerabilities in Citrix Gateway and ADC. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on November 10, 2022.
Update November 10, 2022
14:00 | On the 8th of November 2022, Citrix has published a security bulletin describing three different vulnerabilities in the Citrix Gateway and Citrix ADC. In order to exploit the vulnerabilities, the system must be configured as a gateway using the SSL VPN functionality or configured as an ICA proxy with authentication.
The most severe vulnerability, registered as CVE-2022-27510, allows an attacker to bypass authentication. This gives the attacker access to the user capabilities provided by the gateway. The other two vulnerabilities are registered as CVE-2022-27513 and CVE-2022-27516. Currently, there are no reports on exploitation in the wild and there is no known proof-of-concept code publicly available.
Citrix has published security updates for supported platforms to mitigate the vulnerabilities. It is highly recommended to apply these updates as soon as possible. Customers using Citrix-managed cloud services do not need to take any action.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
In the security bulletin published by Citrix a total of three vulnerabilities are described. The three vulnerabilities can enable attackers to gain unauthorized access to the system, perform remote desktop takeover, or bypass the login brute force protection. The impact of a successful compromise strongly depends on the applications accessed via the Citrix Solution.
Currently, there are no reports on exploitation in the wild and there is no known proof-of-concept code publicly available.
Citrix has published a security bulletin describing three vulnerabilities in the Citrix Gateway and Citrix ADC. Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected. There is currently limited information regarding the vulnerabilities available.
An overview of the available information regarding the vulnerabilities can be found in the table below. At the moment of writing, no CVSS or EPSS scores are available.
|CVE-2022-27510||Unauthorized access to Gateway user capabilities||CWE-288: Authentication Bypass Using an Alternate Path or Channel||Citrix Gateway, Citrix ADC||Appliance must be configured as a VPN (Gateway)|
|CVE-2022-27513||Remote desktop takeover via phishing||CWE-345: Insufficient Verification of Data Authenticity||Citrix Gateway, Citrix ADC||Appliance must be configured as a VPN (Gateway) and the RDP proxy functionality must be configured|
|CVE-2022-27516||User login brute force protection functionality bypass||CWE-693: Protection Mechanism Failure||Citrix Gateway, Citrix ADC||Appliance must be configured as a VPN (Gateway) or AAA virtual server and the user lockout functionality “Max Login Attempts” must be configured|
Table 1 – CVE details information on the 9th of November 2022
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 1 before 184.108.40.206
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
Customers using Citrix-managed cloud services do not need to take any action. Customers with affected version of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
- Citrix ADC and Citrix Gateway 1-33.47 and later releases
- Citrix ADC and Citrix Gateway 0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.