Multiple Vulnerabilities in Citrix ADC and Gateway Could Allow for Authentication Bypass
MS-ISAC ADVISORY NUMBER:
2022-132DATE(S) ISSUED:
11/10/2022OVERVIEW:
Multiple vulnerabilities have been discovered in Citrix ADC and Gateway, the most severe of which could allow for Authentication Bypass. Citrix ADC and Gateway is an Application Delivery Controller and a gateway service to products respectively. Successful exploitation of the most severe of these vulnerabilities could result in Authentication Bypass. A malicious actor may be able to obtain administrative access. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
- ADC and Gateway 13.1
- ADC and Gateway 13.0
- ADC and Gateway 12.1
- ADC 12.1 FIPS
- ADC 12.1-NDcPP
RISK:
Government:
Businesses:
Home Users:
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Citrix ADC and Gateway, the most severe of which could allow for Authentication Bypass. Details of these vulnerabilities are as follows:
Tactic: Initial Access (TA0001):
Technique: External Remote Services (T1133):
- Authentication Bypass vulnerability (CVE-2022-27510)
- Insufficient Verification of Data Authenticity Vulnerability (CVE-2022-27513)
- Protection Mechanism Failure Vulnerability (CVE-2022-27516)
Successful exploitation of the most severe of these vulnerabilities could result in Authentication Bypass. A malicious actor may be able to obtain administrative access. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Apply appropriate updates provided by Citrix to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
-
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
-
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
-
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
-
Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
-
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
-
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
-
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
-
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
-
Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
-
Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.
-
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
-
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
-
Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
-
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
-
Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
-
Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
-
Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
-
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
-
Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
-
Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.