{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-087.pdf"
    },
    "title": "Critical Vulnerability in Citrix Gateway and Citrix ADC",
    "serial_number": "2022-087",
    "publish_date": "13-12-2022 15:50:00",
    "description": "On December 13, 2022, Citrix released a Security Bulletin regarding a  critical vulnerability CVE-2022-27518 affecting its Citrix Gateway and Citrix ADC  products. If exploited, this vulnerability can enable an unauthenticated remote  attacker to perform arbitrary code execution on the appliance. According to NSA, the vulnerability is being exploited by APT5 group.  APT5 is also known to have exploited Pulse Secure VPN vulnerabilities in 2021.  It is then highly recommended to install the last security updates.",
    "url_title": "2022-087",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Citrix\u00a0Gateway\u00a0and\u00a0Citrix\u00a0ADC'\nversion: '1.0'\nnumber: '2022-087'\noriginal_date: 'December 13, 2022'\ndate: 'December 13, 2022'\n---\n\n_History:_\n\n* _13/12/2022 --- v1.0 -- Initial publication_\n  \n# Summary\n\nOn December 13, 2022, Citrix released a Security Bulletin regarding a critical vulnerability CVE-2022-27518 affecting its Citrix Gateway and Citrix ADC products [1]. If exploited, this vulnerability can enable an unauthenticated remote attacker to perform arbitrary code execution on the appliance.\n\nAccording to NSA, the vulnerability is being exploited by APT5 group [2, 3]. APT5 is also known to have exploited Pulse Secure VPN vulnerabilities in 2021. It is then highly recommended to install the last security updates.\n\n# Technical Details\n\nThis zero day vulnerability `CVE-2022-27518` is due to improper control of a resource through its lifetime. This vulnerability is exploitable only if Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP.\n\n# Affected Products\n\nThe following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability: \n\n- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 \n- Citrix ADC and\u202fCitrix\u202fGateway\u202f12.1\u202fbefore\u202f12.1-65.25 \n- Citrix ADC 12.1-FIPS before 12.1-55.291 \n- Citrix ADC 12.1-NDcPP before 12.1-55.291 \n\nCitrix ADC and Citrix Gateway version 13.1 is unaffected. Moreover for Citrix-managed cloud services or Citrix-managed Adaptive Authentication there is not need to take any action.\n\nFor identifying if Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP, you need to inspect the `ns.conf` file for the following commands: \n\n- `add authentication samlAction` - Appliance is configured as a SAML SP or,\n- `add authentication samlIdPProfile` - Appliance is configured as a SAML IdP \n\nIf either of the commands are present in the `ns.conf` file and if the version is an affected version, then the appliance must be updated. \n\n# Recommendations\n\nCERT-EU highly recommends installing the latest updated versions of Citrix ADC or Citrix Gateway as soon as possible:\n\n- Citrix ADC and Citrix Gateway 13.0-58.32 and later releases \n- Citrix ADC\u202fand Citrix Gateway\u202f12.1-65.25 and later releases of 12.1 \n- Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS\u202f \n- Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP \n\nPlease note that Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions. \n\n## Detection\n\nPlease consider using the NSA APT5: Citrix ADC Threat Hunting Guidance [3] to verify possible compromise.\n\n# References\n\n[1] <https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518>\n\n[2] <https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-citrix-adc-and-gateway-zero-day-patch-now/>\n\n[3] <https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>13/12/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 13, 2022, Citrix released a Security Bulletin regarding a critical vulnerability CVE-2022-27518 affecting its Citrix Gateway and Citrix ADC products [1]. If exploited, this vulnerability can enable an unauthenticated remote attacker to perform arbitrary code execution on the appliance.</p><p>According to NSA, the vulnerability is being exploited by APT5 group [2, 3]. APT5 is also known to have exploited Pulse Secure VPN vulnerabilities in 2021. It is then highly recommended to install the last security updates.</p><h2 id=\"technical-details\">Technical Details</h2><p>This zero day vulnerability <code>CVE-2022-27518</code> is due to improper control of a resource through its lifetime. This vulnerability is exploitable only if Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability: </p><ul><li>Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 </li><li>Citrix ADC and\u202fCitrix\u202fGateway\u202f12.1\u202fbefore\u202f12.1-65.25 </li><li>Citrix ADC 12.1-FIPS before 12.1-55.291 </li><li>Citrix ADC 12.1-NDcPP before 12.1-55.291 </li></ul><p>Citrix ADC and Citrix Gateway version 13.1 is unaffected. Moreover for Citrix-managed cloud services or Citrix-managed Adaptive Authentication there is not need to take any action.</p><p>For identifying if Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP, you need to inspect the <code>ns.conf</code> file for the following commands: </p><ul><li><code>add authentication samlAction</code> - Appliance is configured as a SAML SP or,</li><li><code>add authentication samlIdPProfile</code> - Appliance is configured as a SAML IdP </li></ul><p>If either of the commands are present in the <code>ns.conf</code> file and if the version is an affected version, then the appliance must be updated. </p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU highly recommends installing the latest updated versions of Citrix ADC or Citrix Gateway as soon as possible:</p><ul><li>Citrix ADC and Citrix Gateway 13.0-58.32 and later releases </li><li>Citrix ADC\u202fand Citrix Gateway\u202f12.1-65.25 and later releases of 12.1 </li><li>Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS\u202f </li><li>Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP </li></ul><p>Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions. </p><h3 id=\"detection\">Detection</h3><p>Please consider using the NSA APT5: Citrix ADC Threat Hunting Guidance [3] to verify possible compromise.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518\">https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-citrix-adc-and-gateway-zero-day-patch-now/\">https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-citrix-adc-and-gateway-zero-day-patch-now/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF\">https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}