Citrix Application Delivery Controller (ADC) and Citrix Gateway users are advised to see and ensure that their systems aren’t prone to a critical unauthenticated remote code execution vulnerability that a highly capable Chinese advanced persistent threat (APT) actor and other state-sponsored hacking gangs are actively exploiting.
Citrix ADC is a complete application delivery and load-balancing solution that healthcare organizations use to make sure the continual accessibility of critical clinical applications, which include electronic medical records. Citrix Gateway is utilized by healthcare companies for remote access and for offering single sign-on throughout all programs. The tracking ID of Citrix ADC and Gateway authentication bypass vulnerability is CVE-2022-27518 and has an assigned CVSS v3 severity score of 9.8. An unauthenticated actor can exploit the vulnerability remotely to execute a code and totally compromise the system.
Mandiant has seen a Chinese state-sponsored hacking group taking advantage of the vulnerability. The APT actor is monitored by Mandiant as APT5 (also known as Keyhole Panda, Manganese, UNC2630) and has been active around 2007. The APT group usually targets technology and telecommunications organizations, but companies and firms in other sectors were also attacked. The Health Sector Cybersecurity Coordination Center (HC3) has just released an alert regarding the vulnerability following its exploitation in cyberattacks on healthcare providers. It was not possible to ascribe healthcare cyberattacks to any particular threat actor.
HC3 has advised all healthcare companies to carry out an evaluation of their inventories to see if they utilize Citrix ADC or Citrix Gateway and find out whether these platforms are vulnerable. If so, patching must be prioritized. The vulnerability impacts the following Citrix ADC and Gateway versions when they are designed as a Security Assertion Markup Language service provider (SAML SP) or identity provider (SAML IdP).
- Citrix ADC and Citrix Gateway 13.0 prior to version 13.0-58.32
- Citrix ADC 12.1-NDcPP before version 12.1-55.291
- Citrix ADC 12.1-FIPS prior to version 12.1-55.291
- Citrix ADC and Citrix Gateway 12.1 before version 12.1-65.25
To know if Citrix ADC and Citrix Gateway are at risk, users must open the ns.conf file and search for two commands: “add authentication samlAction” and “add authentication samlIdPProfile”. In case either of the commands is found in the ns.conf file, the platform is potentially vulnerable.
All vulnerable cases of these Citrix systems ought to be patched immediately to stop the exploitation of the vulnerability, and it is additionally strongly advised to examine whether the vulnerability was already reported. YARA signatures can be used via the HC3 alert. When evidence of a compromise is discovered, all Citrix instances need to be shifted behind a VPN or certain authentication steps must be enforced and multifactor authentication ought to be used. In case Citrix ADC appliances are located in settings where malicious activity is discovered, they should be separated and then restored to their previously identified good state.