A vulnerability has been discovered in Citrix ADC and Citrix Gateways that can allow for unauthorized Remote Code Execution (RCE). This is a critical zero-day vulnerability and you should patch now. The following versions are affected:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
You can find their security bulletin here: https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
At this point Citrix is aware of a small group of targeted attacks in the wild. However, it will not take long before it is exploited by other malicious actors. SAML IP or IdP must be configured for the exploit, and administrators can inspect their ns.conf files for the following:
add authentication samlActionadd authentication samlIdPProfile
As this vulnerability is known to have been exploited in the wild, threat-hunting should occur for any affected devices to ensure that they were not exploited. In similar situations with vulnerabilities of this type (think Log4J, ProxyShell, ProxyLogon, previous Netscaler/ADC vulnerabilities) threat-actors have exploited devices very quickly, established persistence, and launched attacks later. The NSA has provided some threat-hunting guidance for the impacted devices at the following URL:
https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
Any in case, this is one that deserves your attention. For additional information or how to update, please see Citrix’s blog post: https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
