Pierluigi Paganini
December 29, 2022
NCC Group’s Fox-IT research team warns of thousands of Citrix ADC and Gateway endpoints remain vulnerable to two critical vulnerabilities, tracked as CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), that the company addressed in recent months.
CVE-2022-27510 flaw is an authentication bypass using an alternate path or channel. An attacker can trigger it to gain unauthorized access to Gateway user capabilities. The vendor pointed out that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are impacted.
Citrix addressed the flaw on November 8, 2022.
The CVE-2022-27518 flaw is a remote code execution bug that can be exploited by an unauthenticated, remote attacker to gain arbitrary code execution on the vulnerable appliance.
On December 13, the vendor urged administrators to apply security updates for the zero-day vulnerability in ADC and Gateway that was actively exploited by China-linked threat actors to gain access to target networks.
Now researchers at NCC Group’s Fox IT team reported despite most internet-facing endpoints have been updated to versions that fix both issues, thousands of installs remain vulnerable.
The researchers initially scanned the Internet for Citrix servers and found around 28.000 installs as of November 11, 2022.
Unfortunately, the version number of these installs was not included in the HTTP response from the servers. The experts noticed that there is an MD5 hash-like value in the HTTP body when requesting the URL:
/vpn/index.html
Then they downloaded and deployed all Citrix ADC versions from cloud marketplaces, including Google Cloud Marketplace, AWS, Azure, and Citrix, and analyzed the matches between hashes and versions.
The research team noticed that some hashes could not be matched with the versions obtained with the described process, then analyzed the build date to deduce their versions.
The following graph shows the Top 20 active versions on the internet as of December 28, 2022, and reports if those versions are vulnerable to both issues:
The good news is that the majority of the servers, more than 5,000, are running the 13.0-88.14 version that’s not impacted by the two flaws.
Over 3,500 Citrix ADC and Gateway servers are running the 12.1-65.21 version which is vulnerable to CVE-2022-27518 attacks, while more than 500 servers are running the 12.1-63.22 version which is vulnerable to both critical flaws.
This second graph shows the Top 20 countries using Citrix ADC / Gateway and how many of them are still vulnerable.
In China, only 20% of internet-facing servers have been updated against both issues.
“In this blog, we’ve shown how we performed the version identification of Citrix ADC and Citrix Gateway servers by analysing disk images exported from Google Cloud Marketplace using dissect. We also demonstrated that gzip files can be helpful for timestamp information and how we utilised this to find and download missing Citrix ADC builds.” concludes the report. “Finally, we used the version identification data to measure the versions of internet-facing Citrix ADC and Gateway servers over time and see that the NSA and Citrix advisory really helped with updates. However, some servers remain vulnerable to CVE-2022-27510 or CVE-2022-27518. We hope this blog creates extra awareness for these two Citrix CVEs and that our research on version identification contributes to future studies.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Citrix)
[adrotate banner=”5″]
[adrotate banner=”13″]
