- Citrix Systems has found two vulnerabilities that could allow an unauthenticated attacker to run arbitrary code on their servers in the last two months.
- Both vulnerabilities are rated as critical with a CVSS score of 9.8 and customers using affected builds are urged to install the recommended updates immediately.
- Most of the Citrix endpoints have been patched, however, there are still thousands of servers that are not patched yet.
Citrix Systems, a cloud computing and virtualization technology company, has found critical vulnerabilities, which can be tracked as CVE-2022-27510 and CVE-2022-27518. The first one received patches in early November, the second one was patched in mid-December. Both of them are critical vulnerabilities with CVSS scores of 9.8. Those vulnerabilities can allow attackers to execute arbitrary code on the server and gain access to Gateway user capabilities.
Many appliances remain unpatched
Even though the patches are already available, there are many instances that remain unpatched. It is estimated that at least 28,000 Citrix servers were found to have been at risk. Customers who use Citrix-managed cloud services or Citrix-managed Adaptive Authentication don’t need to take any action. This only affects customer-managed Citrix ADC and Citrix Gateway appliances.
The following versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
The vulnerability requires SAML Service Provider or SAML Identity Provider configurations to be exploited. Customers can determine if their Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file for the following commands:
add authentication samlAction
- The appliance is configured as a SAML SP
add authentication samlIdPProfile
- The appliance is configured as a SAML IdP
If either of the commands is present in the ns.conf file and if the version matches an affected version, then the appliance must be updated immediately.
The National Security Agency (NSA) has released a Citrix ADC Threat Hunting Guidance document here.