Remote Code Execution
- Critical RCE vulnerability affecting Citrix ADC and Citrix Gateway.
- APT 5 has been observed exploiting this vulnerability in the wild as per Citrix and NSA.
- Threat actors on the cybercrime forums were looking to buy the exploits for this vulnerability to perform arbitrary code execution.
|Threat actors can exploit the vulnerabilities to
- Gain initial access
- Disclose sensitive information
- Perform DDoS attacks
- Encrypt the infrastructure with malware
- Gain privileges and execute arbitrary code remotely
|Update to the latest versions:
- Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP
CVE-2022-27518 is a critical and high-severity vulnerability, with a CVSS:3.0 score of 9.8, affecting Citrix ADC and Citrix Gateway that was disclosed on 13 December 2022 by Citrix. It allows an unauthenticated remote attacker to perform arbitrary code execution on a vulnerable appliance.
mentioned that they have observed exploitation attempts in the wild, which have been attributed to APT 5. Several other cyber criminals have also shown interest in buying exploits for the vulnerability.
As of now, there is no publicly available exploit. However, this scenario is expected to change as soon as a viable exploit is created and shared publicly.
[caption id="attachment_22046" align="aligncenter" width="1243"]
Chatter on cybercrime forum[/caption]
The following table lists the Citrix products and their versions affected by this vulnerability.
||Citrix ADC and Citrix Gateway
||13.0 before 13.0-58.32
||13.0-58.32 and later releases of 13.0
||Citrix ADC and Citrix Gateway
||12.1 before 12.1-65.25
||12.1-65.25 and later releases of 12.1
||Citrix ADC 12.1-FIPS
||12.1-55.291 and later releases of 12.1-FIPS
||Citrix ADC 12.1-NDcPP
||12.1-55.291 and later releases of 12.1-NDcPP
- Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP
- To check if the Citrix ADC or Citrix Gateway is configured as above, inspect ns.conf file by running the following command:
- SAML SP [add authentication samlAction]
- SAML IdP [add authentication samlIdPProfile]
Information from OSINT
The NSA has issued an advisory
warning about a critical vulnerability [CVE-2022-27518] affecting Citrix ADC and Citrix Gateway. According to the NSA and Citrix, APT5
- a Chinese state-backed threat actor known to target telecommunications and technology companies, is actively exploiting this vulnerability.
Shodan searches suggest that Citrix Gateway is used by a large number of organizations worldwide.
[caption id="attachment_22047" align="alignnone" width="1267"]
Screenshot of Shodan search results[/caption]
Indicators of Compromise (IoCs)
Based on the results from VirusTotal, the following are the IOCs for APT5.
[caption id="attachment_22048" align="alignnone" width="925"]
NSA Warning Advisory for CVE-2022-27518[/caption]
[caption id="attachment_22049" align="alignnone" width="621"]
NSA published Yara signatures to detect malware used by APT5[/caption]