All Threat Intelligence posts

CVE-2022-27518: Critical RCE in Citrix ADC & Citrix Gateway Being Exploited in the Wild

December 23, 2022
4
min read
Category:

Vulnerability Intelligence

 Vulnerability Class:

Remote Code Execution

 CVE ID:

CVE-2022-27518

 CVSS:3.0 Score:

9.8

Executive Summary

THREAT IMPACT MITIGATION
  • Critical RCE vulnerability affecting Citrix ADC and Citrix Gateway.
  • APT 5 has been observed exploiting this vulnerability in the wild as per Citrix and NSA.
  • Threat actors on the cybercrime forums were looking to buy the exploits for this vulnerability to perform arbitrary code execution.
 Threat actors can exploit the vulnerabilities to

  • Gain initial access
  • Disclose sensitive information
  • Perform DDoS attacks
  • Encrypt the infrastructure with malware
  • Gain privileges and execute arbitrary code remotely
 Update to the latest versions:

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP

Analysis

CVE-2022-27518 is a critical and high-severity vulnerability, with a CVSS:3.0 score of 9.8, affecting Citrix ADC and Citrix Gateway that was disclosed on 13 December 2022 by Citrix. It allows an unauthenticated remote attacker to perform arbitrary code execution on a vulnerable appliance.

Citrix and NSA mentioned that they have observed exploitation attempts in the wild, which have been attributed to APT 5. Several other cyber criminals have also shown interest in buying exploits for the vulnerability.

As of now, there is no publicly available exploit. However, this scenario is expected to change as soon as a viable exploit is created and shared publicly.

Chatter on cybercrime forum
Chatter on cybercrime forum

 

Affected Products

The following table lists the Citrix products and their versions affected by this vulnerability.

SNo. Product Name Affected Versions Updated versions
1. Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 13.0-58.32 and later releases of 13.0
2. Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 12.1-65.25 and later releases of 12.1
3. Citrix ADC 12.1-FIPS before 12.1-55.291 12.1-55.291 and later releases of 12.1-FIPS
4. Citrix ADC 12.1-NDcPP before 12.1-55.291 12.1-55.291 and later releases of 12.1-NDcPP

Pre-Conditions

  • Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP
  • To check if the Citrix ADC or Citrix Gateway is configured as above, inspect ns.conf file by running the following command:
    • SAML SP
    • SAML IdP

Information from OSINT

The NSA has issued an advisory warning about a critical vulnerability affecting Citrix ADC and Citrix Gateway. According to the NSA and Citrix, APT5 – a Chinese state-backed threat actor known to target telecommunications and technology companies, is actively exploiting this vulnerability.

Shodan searches suggest that Citrix Gateway is used by a large number of organizations worldwide.

Screenshot of Shodan search results
Screenshot of Shodan search results

 

Indicators of Compromise (IoCs)

Based on the results from VirusTotal, the following are the IOCs for APT5.

Hashes
ed0c77d57643f07a19430c5671a21c0c77cd7439ac2cd912887f141c6fe41d4a
074c472406e38385fe769fbaaa72c7259247f42ef1b9140f31228afc66afbc67
0f5b183bbf24a075450be4d603de2a02d7cc0e2eef9942c540ae1503b0c38b1d
Names
vti-rescan x.exe
mgc.exe netmgr.exe
Hostname
tsl.gettrials.com

References

Appendix

NSA Warning Advisory for CVE-2022-27518
NSA Warning Advisory for CVE-2022-27518

 

NSA published Yara signatures to detect malware used by APT5
NSA published Yara signatures to detect malware used by APT5

 

 

Tags:
No items found.