On November 8th, 2022, Citrix disclosed a critical authentication bypass (CVE-2022-27510), a remote desktop takeover (CVE-2022-27513), and a user login brute force protection functionality bypass (CVE-2022-27516) vulnerability affecting several versions of Citrix ADC and Citrix Gateway.
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances as Citrix-managed cloud services are not affected.
A threat actor could leverage these vulnerabilities in specific circumstances:
- CVE-2022-27510: Critical authentication bypass using an alternate path or channel which can only be exploited if the appliance is configured as a VPN (Gateway).
- CVE-2022-27513: Insufficient verification of data authenticity allowing remote desktop takeover through phishing attacks. This vulnerability can only be exploited if the appliance is configured as a VPN (Gateway) and the RDP proxy functionality is configured.
- CVE-2022-27516: User login brute force protection mechanism failure allowing login bypass. This vulnerability can only be exploited if the appliance is configured as a VPN (Gateway) or AAA virtual server, and the user lockout functionality “Max Login Attempts” must be configured.
- Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 before 18.104.22.168
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
Several vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog have impacted Citrix ADC and Citrix Gateway in the past. Arctic Wolf Labs strongly recommends upgrading to the patched versions on the impacted devices to prevent potential exploitation.
Recommendation: Upgrade to Patched Versions of Citrix ADC or Citrix Gateway
Affected customers are recommended to download and install the following updated versions as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
- Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.
Please follow your organizations’ patching and testing guidelines to avoid any operational impact.