- Citrix announced that the company has released an update that addresses three high-severity vulnerabilities.
- Customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible.
- Citrix didn’t share workaround methods for the vulnerabilities, thus users are urged to install the update to stay safe.
Citrix has announced the release of a fix for three high-severity vulnerabilities affecting Citrix ADC, a load-balancing solution and Citrix Gateway, an SSL VPN service. Citrix also urged customers to install the update as soon as possible. The issues were reported by Jarosław Kamiński of Securitum.
In the advisory, Citrix stated that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the first issue, which is rated as a Critical severity vulnerability. The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 before 18.104.22.168
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
- Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
The vulnerabilities are:
- Authentication Bypass Using an Alternate Path or Channel (CVE-2022-27510): Unauthorized access to Gateway user capabilities
- Insufficient Verification of Data Authenticity (CVE-2022-27513): Remote desktop takeover via phishing
- Protection Mechanism Failure (CVE-2022-27516): User login brute force protection functionality bypass