HomeCIS AdvisoriesMultiple Vulnerabilities in Citrix ADC and Gateway Could Allow for Authentication Bypass

Multiple Vulnerabilities in Citrix ADC and Gateway Could Allow for Authentication Bypass

MS-ISAC ADVISORY NUMBER:

2022-132

DATE(S) ISSUED:

11/10/2022

OVERVIEW:

Multiple vulnerabilities have been discovered in Citrix ADC and Gateway, the most severe of which could allow for Authentication Bypass. Citrix ADC and Gateway is an Application Delivery Controller and a gateway service to products respectively. Successful exploitation of the most severe of these vulnerabilities could result in Authentication Bypass. A malicious actor may be able to obtain administrative access. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • ADC and Gateway 13.1
  • ADC and Gateway 13.0
  • ADC and Gateway 12.1
  • ADC 12.1 FIPS
  • ADC 12.1-NDcPP

RISK:

Government:
Large and medium government entitiesHIGH
Small governmentMEDIUM
Businesses:
Large and medium business entitiesHIGH
Small business entitiesMEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Citrix ADC and Gateway, the most severe of which could allow for Authentication Bypass. Details of these vulnerabilities are as follows:
Tactic: Initial Access (TA0001):
Technique: External Remote Services (T1133):

  • Authentication Bypass vulnerability (CVE-2022-27510)
  • Insufficient Verification of Data Authenticity Vulnerability (CVE-2022-27513)
  • Protection Mechanism Failure Vulnerability (CVE-2022-27516)
    Successful exploitation of the most severe of these vulnerabilities could result in Authentication Bypass. A malicious actor may be able to obtain administrative access. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Citrix to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.

  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)

  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.

  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)

  • Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

  • Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.

  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)

  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

  • Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)

  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.

  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.

  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)

  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.

  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

Get Email Updates When Cyber Threats Like This Arise

Subscribe to Advisories

Information Hub

Advisories

See All Advisories
Advisory04.24.2024
2024-043: Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Read More
Advisory04.17.2024
2024-042: Oracle Quarterly Critical Patches Issued April 16, 2024
Read More
Press Release04.17.2024
Center for Internet Security Partners with State and Federal Cyber Experts to Offer Security Solutions for K-12 Schools
Read More
Press Release03.06.2024
Making a Difference and Building Capacity in 2023
Read More