An unauthenticated remote code execution flaw (CVE-2022-27518) is being leveraged by a Chinese state-sponsored group to compromise Citrix Application Delivery Controller (ADC) deployments, the US National Security Agency has warned. “Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls.”
CVE-2022-27518 stems from the vulnerable devices’ software failing to maintain control over a resource throughout its lifetime (creation, use, and release) and gives remote attackers the opportunity to execute arbitrary code (without prior authentication) on vulnerable appliances.
The zero-day flaw affects both Citrix ADC, which is usually leveraged for load balanced, secure remote access to Citrix Virtual Apps and Desktops applications, and Citrix Gateway, a secure remote access solution with identity and access management capabilities, which also provides single sign-on for variously hosted applications.
Citrix’s security bulletin lists the affected supported and unsupported versions, and notes that only customer-managed Citrix ADC and Citrix Gateway appliances require a swift update.
The company also lists a pre-condition for exploitation: only Citrix ADCs and Citrix Gateways that are configured as a SAML SP (service provider) or a SAML IdP (identity provider) are at risk, and should be upgraded post-haste.
The NSA has published threat hunting guidance to help organizations investigate whether their Citrix ADC environments have been compromised, and have attributed observed attacks to APT5 (aka UNC2630, aka MANGANESE).
For over a decade, APT5 has been targeting and breaching organizations across multiple industries, but especially telecommunications and technology companies. The group has previously been known to exploit vulnerabilities in VPN products by Fortinet, Palo Alto Networks and Pulse Secure.
“Update to the latest Citrix release, check for compromise, and let us know if you find anything,” said NSA’s Cybersecurity Director Rob Joyce following the release of the guidance.