MS-ISAC CYBERSECURITY ADVISORY
MS-ISAC ADVISORY NUMBER:
A vulnerability has been discovered in Citrix Gateway and Citrix ADC which could allow for remote code execution.
A vulnerability has been discovered in Citrix Gateway and Citrix ADC which could allow for remote code execution. Citrix ADC and Gateway is an Application Delivery Controller and a gateway service to products respectively. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.
CVE-2022-27518 has been reported to be exploited in the wild.
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
- Large and medium government entities: High
- Small government entities: Medium
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
- A vulnerability has been discovered in Citrix Gateway and Citrix ADC which could allow for remote code execution. Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this vulnerability to be exploited. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution. (CVE-2022-27518)
Users can determine if their Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file for the following commands:
- add authentication samlAction (Appliance is configured as a SAML SP)
- add authentication samlIdPProfile (Appliance is configured as a SAML IdP)
We recommend the following actions be taken:
- Apply appropriate updates provided by Citrix to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.