Vulnerability

Multiple vulnerabilities in Citrix Gateway and ADC

This live blog contains information regarding multiple vulnerabilities in Citrix Gateway and ADC. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on November 10, 2022.

Clip path group@2x

T-Update

Information about vulnerabilities

This live blog contains information regarding multiple vulnerabilities in Citrix Gateway and ADC. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on November 10, 2022.

Update November 10, 2022

14:00 | On the 8th of November 2022, Citrix has published a security bulletin describing three different vulnerabilities in the Citrix Gateway and Citrix ADC. In order to exploit the vulnerabilities, the system must be configured as a gateway using the SSL VPN functionality or configured as an ICA proxy with authentication.

The most severe vulnerability, registered as CVE-2022-27510, allows an attacker to bypass authentication. This gives the attacker access to the user capabilities provided by the gateway. The other two vulnerabilities are registered as CVE-2022-27513 and CVE-2022-27516. Currently, there are no reports on exploitation in the wild and there is no known proof-of-concept code publicly available.

Citrix has published security updates for supported platforms to mitigate the vulnerabilities. It is highly recommended to apply these updates as soon as possible. Customers using Citrix-managed cloud services do not need to take any action.

Customized cyber security

Background

In the security bulletin published by Citrix a total of three vulnerabilities are described. The three vulnerabilities can enable attackers to gain unauthorized access to the system, perform remote desktop takeover, or bypass the login brute force protection. The impact of a successful compromise strongly depends on the applications accessed via the Citrix Solution. Currently, there are no reports on exploitation in the wild and there is no known proof-of-concept code publicly available.

Risk

Citrix has published a security bulletin describing three vulnerabilities in the Citrix Gateway and Citrix ADC. Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected. There is currently limited information regarding the vulnerabilities available.

An overview of the available information regarding the vulnerabilities can be found in the table below. At the moment of writing, no CVSS or EPSS scores are available.
CVE-number Description CWE Affected products Pre-conditions
CVE-2022-27510 Unauthorized access to Gateway user capabilities CWE-288: Authentication Bypass Using an Alternate Path or Channel Citrix Gateway, Citrix ADC Appliance must be configured as a VPN (Gateway)
CVE-2022-27513 Remote desktop takeover via phishing CWE-345: Insufficient Verification of Data Authenticity Citrix Gateway, Citrix ADC Appliance must be configured as a VPN (Gateway) and the RDP proxy functionality must be configured
CVE-2022-27516  User login brute force protection functionality bypass CWE-693: Protection Mechanism Failure Citrix Gateway, Citrix ADC

Appliance must be configured as a VPN (Gateway) or AAA virtual server and the user lockout functionality “Max Login Attempts” must be configured

The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:

  • Citrix ADC and Citrix Gateway 1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 0 before 13.0-88.12
  • Citrix ADC and Citrix Gateway 1 before 12.1.65.21
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

Customers using Citrix-managed cloud services do not need to take any action. Customers with affected version of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:

  • Citrix ADC and Citrix Gateway 1-33.47 and later releases
  • Citrix ADC and Citrix Gateway 0-88.12 and later releases of 13.0
  • Citrix ADC and Citrix Gateway 1-65.21 and later releases of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP

Advice

Sources

More information:

Ellipse 6

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Tesorion gebruikt jouw gegevens voor het versturen van de gevraagde informatie. Daarnaast worden je gegevens mogelijk gebruikt voor commerciële opvolging. Je kunt je op elk gewenst moment hiervoor afmelden via de link in de e-mail. Lees voor meer informatie ons privacybeleid.

Ellipse 6