Citrix Application Delivery Controller (ADC) and Citrix Gateway users are instructed to look at and be sure that their systems aren’t at risk of a critical unauthenticated remote code execution vulnerability that a remarkably capable Chinese advanced persistent threat (APT) actor and other state-sponsored hacking groups are actively exploiting.
Citrix ADC is a detailed application delivery and load-balancing tool that healthcare companies use to be sure of continuous access to critical clinical apps, such as electronic medical records. Citrix Gateway is employed by healthcare providers for remote access and for giving single sign-on through all apps. The Citrix ADC and Gateway authentication bypass vulnerability is monitored as CVE-2022-27518 and has a designated CVSS v3 severity score of 9.8 out of 10. An unauthenticated actor can take advantage of the vulnerability remotely to implement a code and entirely breach the system.
Mandiant has noticed a Chinese state-sponsored hacking gang taking advantage of the vulnerability. The APT actor is followed by Mandiant as APT5 (otherwise known as Keyhole Panda, UNC2630, Manganese) and has been active as early as 2007. The APT group normally attacks technology and telecom organizations, however, companies and firms in other areas were likewise attacked. The Health Sector Cybersecurity Coordination Center (HC3) has lately given an alert concerning the vulnerability soon after its exploitation in cyberattacks on healthcare providers. It wasn’t possible to impute the cyberattacks to any specified threat actor.
HC3 has told all healthcare companies to do an assessment of their stocks to find out if they make use of Citrix ADC or Citrix Gateway and find out if these platforms are unsecured. If that’s the case, patching needs to be made a priority. The vulnerability has an effect on these Citrix ADC and Gateway versions if they are set up as an identity provider (SAML IdP) or Security Assertion Markup Language service provider (SAML SP).
- Citrix ADC and Citrix Gateway 13.0 prior to version 13.0-58.32
- Citrix ADC 12.1-NDcPP before version 12.1-55.291
- Citrix ADC 12.1-FIPS prior to version 12.1-55.291
- Citrix ADC and Citrix Gateway 12.1 before version 12.1-65.25
To know whether Citrix ADC and Citrix Gateway are susceptible, users ought to check the ns.conf file and try to find two commands: “add authentication samlIdPProfile” and “add authentication samlAction”. When one of the commands is located in the ns.conf file, the system is probably vulnerable.
All vulnerable occurrences of these Citrix systems must be patched without delay to avoid taking advantage of the vulnerability, and it is furthermore strongly suggested to check out if the vulnerability was previously reported. YARA signatures could be viewed by means of the HC3 alert. When proof of a compromise is determined, all Citrix instances must be transferred behind a VPN or some other authentication actions ought to be applied and multifactor authentication must be activated. In case Citrix ADC appliances are located in areas where malicious activity is found, they ought to be singled out and then restored to their past recognized good state.