Project Hyphae

Citrix ADC and Gateway under active exploit

Share This Post

A vulnerability has been discovered in Citrix ADC and Citrix Gateways that can allow for unauthorized Remote Code Execution (RCE). This is a critical zero-day vulnerability and you should patch now. The following versions are affected:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 
  • Citrix ADC 12.1-FIPS before 12.1-55.291 
  • Citrix ADC 12.1-NDcPP before 12.1-55.291 

You can find their security bulletin here: https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518

At this point Citrix is aware of a small group of targeted attacks in the wild. However, it will not take long before it is exploited by other malicious actors. SAML IP or IdP must be configured for the exploit, and administrators can inspect their ns.conf files for the following:

  • add authentication samlAction
  • add authentication samlIdPProfile

As this vulnerability is known to have been exploited in the wild, threat-hunting should occur for any affected devices to ensure that they were not exploited. In similar situations with vulnerabilities of this type (think Log4J, ProxyShell, ProxyLogon, previous Netscaler/ADC vulnerabilities) threat-actors have exploited devices very quickly, established persistence, and launched attacks later. The NSA has provided some threat-hunting guidance for the impacted devices at the following URL:

https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF

Any in case, this is one that deserves your attention. For additional information or how to update, please see Citrix’s blog post: https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/

More To Explore

Information Security News 1-23-2023

MailChimp Discloses New Breach After Employees Got Hacked Article Link: https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/ T-Mobile Suffers 8th Data Breach in Less Than 5 Years Article Link: https://www.csoonline.com/article/3686053/t-mobile-suffers-8th-data-breach-in-less-than-5-years.html Hackers

BianLian Ransomware Decryptor Made Public

BianLian, a Windows ransomware variant written in Go, the Google-created open source programming language, has been steadily increasing in popularity among threat actors since it

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.