Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

The Citrix Application Delivery Controller (ADC) and Gateway contain zero-day vulnerabilities that have been actively exploited by a threat actor known as APT5, according to the U.S. National Security Agency (NSA) on Tuesday.

The CVE-2022-27518 significant remote code execution vulnerability might give an unauthenticated attacker access to remotely execute instructions on susceptible devices and take control.

However, for the Citrix ADC or Citrix Gateway appliance to be setup as a SAML service provider (SP) or a SAML identity provider, it must be SAML compliant (IdP).

ALSO, READ How Hackers Are Exploiting Stolen Cookies To Attack Corporate Organisations – Research

The following supported versions of Citrix ADC and Citrix Gateway are affected by the vulnerability –

• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
• Citrix ADC 12.1-FIPS before 12.1-55.291
• Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix ADC and Citrix Gateway versions 13.1 are not impacted. The company also said there are no workarounds available “beyond disabling SAML authentication or upgrading to a current build.”

Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

The virtualization services provider said it’s aware of a “small number of targeted attacks in the wild” using the flaw, urging customers to apply the latest patch to unmitigated systems.

APT5, also known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, is believed to operate on behalf of Chinese interests. Last year, Mandiant revealed espionage activity targeting verticals that aligned with government priorities outlined in China’s 14th Five-Year Plan.

Those attacks entailed the abuse of a then-disclosed flaw in Pulse Secure VPN devices (CVE-2021-22893, CVSS score: 10.0) to deploy malicious web shells and exfiltrate valuable information from enterprise networks.

ALSO, READ December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft & More

“APT5 has demonstrated capabilities against Citrix Application Delivery Controller deployments,” NSA said. “Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls.”

Microsoft, last month, pointed out Chinese threat actors’ history of discovering and using zero days to their advantage before being picked up by other adversarial collectives in the wild.

Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

News of the Citrix bug also comes a day after Fortinet revealed a severe vulnerability that also facilitates remote code execution in FortiOS SSL-VPN devices (CVE-2022-42475, CVSS score: 9.3).

ALSO, READ Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability

VMWare releases updates for code execution vulnerabilities#

In a related development, VMware disclosed details of two critical flaws impacting ESXi, Fusion, Workstation, and vRealize Network Insight (vRNI) that could result in command injection and code execution.

• CVE-2022-31702 (CVSS score: 9.8) – Command injection vulnerability in vRNI
• CVE-2022-31703 (CVSS score: 7.5) – Directory traversal vulnerability in vRNI
• CVE-2022-31705 (CVSS score: 5.9/9.3) – Heap out-of-bounds write vulnerability in EHCI controller

“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,” the company said in a security bulletin for CVE-2022-31705.