Technique: Exploitation for Client Execution (T1203):
- A vulnerability has been discovered in Citrix Gateway and Citrix ADC which could allow for remote code execution. Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this vulnerability to be exploited. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution. (CVE-2022-27518)
Users can determine if their Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file for the following commands:
- add authentication samlAction (Appliance is configured as a SAML SP)
- add authentication samlIdPProfile (Appliance is configured as a SAML IdP)
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate updates provided by Citrix to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.