The Citrix ADC and Gateway contain a zero-day vulnerability (CVE-2022-27518) that state-sponsored hackers actively exploit to gain access to corporate networks. The latest vulnerability authorizes a fictitious attacker to implement commands remotely on vulnerable devices and apprehend them.
As the vulnerability is actively exploited in attacks, Citrix has warned admins to install the latest update at their earliest convenience. Further, the company mentions in the security update going along with the advisory, ” using this vulnerability, a small number of targeted attacks have been detected in the wild.”
The impact of this vulnerability has been seen in the following versions of the Citrix ADC and Citrix Gateway:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
Versions given above are affected only if the appliances are designed as SAML SPs (SAML service providers) or SAML IdPs (SAML identity providers.
Upgrades to Citrix ADC and Citrix Gateway version 13.1 address CVE-2022-27518. The ones using older versions need to upgrade to the latest version available for the 12.0(12.1.65.25) or 13.0 branch (13.0.88.16). Other than this, Citrix ADC FIPS and Citrix ADC NDcPP Should also update their versions from 12.1-55.291 or later.
Users of Citrix-managed cloud services do not need to take any action since Citrix has already remedied the issue. In addition, for ADC gadgets and executing the vendor’s security suggestions, system admins are advised to take counsel from Citrix Best Practices.
A state-sponsored hacker exploited the vulnerability
.Citrix has not shared any information about this new vulnerability exploit. The NSA has shared that the state-sponsored APT5 hackers (UNC 2630 and MANGANESE) are actively corrupting the threats in attacks.
ATPT5 was exploiting Citrix devices actively,” tweeted NSA cybersecurity director Rob Joyce. “Their guidance link below will help you identify and remediate this activity.”
An advisory published by the NSA titled “APT5: Citrix ADC Threat Hunting Guidance” provides tips on securing Citrix ADCs and Gateways and detecting if a device has been exploited.
Chinese state-sponsored hackers known as APT5 exploit zero-day vulnerabilities in VPN devices to gain access to sensitive information. APT5 breached the US Defense Industrial Base (DIB) network in 2021 through a zero-day exploit in Pulse Secure VPN devices. The vulnerability is currently only being exploited by APT5, but after it has been disclosed, we expect to see other groups use it shortly.
In the past, hackers took advantage of similar security issues to gain access to corporate networks, use ransomware, and steal data.
The CVE-2019-19781 remote code execution vulnerability was discovered in Citrix ADC and Citrix Gateway in 2019. A ransomware operation, a state-sponsored APT, or an opportunistic attacker can exploit the vulnerability. Due to the widespread abuse, the Dutch government advised companies to turn off their Citrix ADCs and Citrix Gateways until security updates could be applied.
Get ESOF VMDR to prevent your system from this vulnerability
An ESOF platform provides a Vulnerability Management Solution for detecting and mitigating IT vulnerabilities. To prevent malicious cyberattacks, ESOF VMDR is implemented. It prioritizes, automatically, immediately, and continuously monitors all vulnerabilities as soon as the user installs them on their system.
- Its Threat intelligence feature helps to find out the assets affected by the vulnerabilities. Therefore, assisting the vector in string and attack vector of the cyber attack.
- With schedule scanning, you can find zero-day vulnerabilities according to their architecture, like web, Mobile, SCR, and Infra.
- The cyber risk score enhances the organization’s communication. As a result, it reduces cyber risk with a cyber score and provides business owners with a sense of how secure their organization is.
- ESOF VMDR helps find the system’s hidden vulnerabilities and segregates the ones considered high risk.
- Rapidly turn down critical vulnerabilities by auto-prioritization and auto-remediation.
- Protect all the real-time files in your organization’s complete IT stack.
TAC Security’s ESOF VMDR is one of the product which helps auto-prioritize and auto-remediate all the vulnerabilities, threats, and risks in the complete IT stack. It manages overall exposures in real-time.