A critical zero-day vulnerability was found in Citrix ADC and Gateway. CVE-2022-27518 is an unauthenticated remote code execution vulnerability that is being leveraged by a Chinese state-sponsored threat actor known as APT5 or MANGANESE.
APT5 is currently exploiting CVE-2022-27518 by targeting vulnerable Citrix ADC and Gateway Devices. The US National Security Agency (NSA) stated that the threat actors have bypassed normal authentication controls and have gained illegitimate access to targeted organizations.
Citrix released a security update stating that they are aware of a small number of targeted attacks in the wild and those using an affected build with a SAML SP or IdP configuration should install their recommended builds immediately.
CVE-2022-27518 affects the following versions of Citrix ADC and Citrix Gateway:
Citrix stated that customers should update to the 12.1 build (including FIPS and NDcPP variants) or to the current 13.0 build (13.0-88.16).
The NSA released threat hunting guidance to help organizations investigate their Citrix ADC environments. The NSA further stated that organizations should treat the detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems. Findings may vary based on the environment and stage of activity. The NSA recommends investigating positive results even if other detections require no findings.
Avertium recommends following Citrix’s guidance below:
Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
Note: Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.
Customers can determine if their Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file for the following commands:
- Appliance is configured as a SAML SP
- Appliance is configured as a SAML IdP
Note: If either of the commands are present in the ns.conf file and if the version is an affected version, then the appliance must be updated.
Avertium also recommends following the NSA’s mitigation guidance below: