CVE-2022-27518 | SentinelOne

CVE-2022-27518: Citrix ADC and Citrix Gateway Vulnerability

A critical vulnerability has been patched in the products of Citrix. This vulnerability was reportedly exploited as a zero-day attack, and organizations should immediately fix this issue.

About the vulnerability

On December 13, 2022, the company released a security advisory and blog for CVE-2022-27518 to address a critical RCE vulnerability in specific versions of its products, such as the Citrix ADC and Citrix Gateway versions. The blog post and advisory noted that the vulnerability had been observed in the wild, and organizations should immediately patch it.

As per the blog post, the company stated that there are no available workarounds for this vulnerability. Therefore, all customers with an impacted version (SAML SP or IDP configuration) should update immediately.

If you are a customer of a Citrix-managed cloud service or Adaptive Authentication, you do not need to take action to update your current configuration. This update applies to customer-managed Citrix ADC or Citrix Gateway appliances only.

The agency noted that attackers are targeting Citrix as a high-value target. In a threat-hunting guidance published last week on December 13, 2022, the National Security Agency (NSA) said that state-sponsored attackers are targeting Citrix’s ADC.

Impacted products

An unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution on an appliance. Additionally, this vulnerability can be exploited using specific versions of products if they have a Gateway or an ADC configured as a SAML IdP or an SP.

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

Remediation guidance:

Due to the lack of available workarounds, affected organizations should immediately update the latest version of this software. The following versions should be installed on an emergency basis for affected organizations:

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP

How SentinelOne can help

With the help of SentinelOne’s platform, you can identify and prevent vulnerabilities in your cloud infrastructure. It performs a deep scan of your cloud infrastructure and discovers the vulnerable components. It then prioritizes the issue and makes a real-time assessment of the situation.

With SentinelOne’s cloud security platform, you can protect yourself from the latest zero-day attacks, keep up with all the changes in cloud computing, and improve your security posture across your multiple cloud accounts.