Hackers exploit critical Citrix ADC and Gateway zero day, patch now

Citrix strongly urges admins to apply security updates for an 'Critical' zero-day vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is actively exploited by state-sponsored hackers to gain access to corporate networks.

This new vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control over them.

Citrix is warning admins to install the latest update "as soon as possible" as the vulnerability is actively exploited in attacks.

"We are aware of a small number of targeted attacks in the wild using this vulnerability," mentions Citrix in the security update accompanying the advisory.

The vulnerability impacts the following versions of Citrix ADC and Citrix Gateway:

• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
• Citrix ADC 12.1-FIPS before 12.1-55.291
• Citrix ADC 12.1-NDcPP before 12.1-55.291

The above versions are impacted only if the appliances are configured as a SAML SP (SAML service provider) or SAML IdP (SAML identity provider).

Administrators can determine how the device is configured by inspecting the "ns.conf" file for the following two commands:

Admins should immediately update their devices if the above configuration operations are found.

Citrix ADC and Citrix Gateway version 13.1 are not affected by CVE-2022-27518, so upgrading to it solves the security problem.

Those using older versions are recommended to upgrade to the latest available build for the 12.0 (12.1.65.25) or 13.0 branch (13.0.88.16).

Also, Citrix ADC FIPS and Citrix ADC NDcPP should upgrade to versions 12.1-55.291 or later.

Those using Citrix-managed cloud services don't have to take any action, as the vendor has already taken the appropriate remediation steps.

Additionally, system admins are urged to consult Citrix's "best practices" for ADC appliances and implement the vendor's security recommendations.

Exploited by state-sponsored hackers

While Citrix has not shared any details on how this new bug is being abused, the NSA has shared that the state-sponsored APT5 hackers (aka UNC2630 and MANGANESE) are actively exploiting the vulnerability in attacks.

"Active exploitation Citrix devices underway by APT5. @NSACyber threat hunting guidance linked below to identify and remediate this activity," tooted NSA cybersecurity director Rob Joyce.

In a coordinated disclosure, the NSA has released an "APT5: Citrix ADC Threat Hunting Guidance" advisory with information on detecting if a device has been exploited and tips on securing Citrix ADC and Gateway devices.

"APT5 has demonstrated capabilities against Citrix® Application Delivery Controller™ (ADC™) deployments ("Citrix ADCs"). Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls," reads the NSA advisory released today.

APT5 is believed to be a Chinese state-sponsored hacking group known to utilize zero-days in VPN devices to gain initial access and steal sensitive data.

In 2021, APT5 utilized a zero-day in Pulse Secure VPN devices to breach US Defense Industrial base (DIB) networks.

While APT5 is currently the only known threat actor abusing the vulnerability, now that it is disclosed, we will likely see other groups begin to utilize it shortly.

Hackers leveraged similar security issues in the past in attacks that led to initial access to corporate networks, ransomware, and data theft.

In 2019, a remote code execution flaw tracked as CVE-2019-19781 was discovered in Citrix ADC and Citrix Gateway and quickly became targeted by ransomware operations (1, 2), state-supported APTs, opportunistic attackers that used mitigation bypasses, and more.

Exploitation became so widely abused that the Dutch government advised companies to turn off their Citrix ADC and Citrix Gateway devices until admins could apply security updates.

---