Citrix ADC and Citrix Gateway Remote Code Execution Vulnerability (CVE-2022-27518)

Citrix ADC and Citrix Gateway Remote Code Execution Vulnerability (CVE-2022-27518)

dezembro 15, 2022 | Jie Ji

Overview

On December 14, NSFOCUS CERT detected that Citrix officially released a remote code execution vulnerability (CVE-2022-27518) in Citrix ADC and Gateway. Due to deficiencies in the system’s control over the lifecycle of resources, an unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on a target system when Citrix ADC and Citrix Gateway are configured as a Security Assertion Markup Language (SAML) Service Provider (SP) or SAML Identity Provider (IdP) . The CVSS score is 9.8. At present, it has been exploited in the wild. Relevant users are requested to take protective measures as soon as possible.

Citrix ADC can provide the most comprehensive function and load balancing solutions for virtualized advanced Web and application, and remote access services. Citrix Gateway is a secure remote access solution that provides a secure remote access solution with multiple Identity and Access Management (IdAM) features.

Reference link:

https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518

Scope of Impact

Affected version

  • Citrix ADC and Citrix Gateway 13.0-x < 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1-x < 12.1-65.25
  • Citrix ADC 12.1-FIPS < 12.1-55.291
  • Citrix ADC 12.1-NDcPP < 12.1-55.291

Unaffected version

  • Citrix ADC and Citrix Gateway >= 13.0-58.32
  • Citrix ADC and Citrix Gateway >= 12.1-65.25
  • Citrix ADC 12.1-FIPS >= 12.1-55.291
  • Citrix ADC 12.1-NDcPP >= 12.1-55.291

Detection

Users can check the ns.conf file to determine whether it is configured as SAML SP or SAML IdP. If any of the following instructions appears and is an affected version, it may be affected by this vulnerability and needs to be updated immediately:

add authentication samlAction

add authentication samlIdPProfile

Users can also verify the malware used by the attackers in this campaign via the following YARA signature:

rule tricklancer_a {

 strings:

 $str1 = “//var//log//ns.log” nocase ascii wide

 $str2 = “//var//log//cron” nocase ascii wide

 $str3 = “//var//log//auth.log” nocase ascii wide

 $str4 = “//var//log//httpaccess-vpn.log” nocase ascii wide

 $str5 = “//var//log//nsvpn.log” nocase ascii wide

 $str6 = “TF:YYYYMMddhhmmss” nocase ascii wide

 $str7 = “//var//log//lastlog” nocase ascii wide

 $str8 = “clear_utmp” nocase ascii wide

 $str9 = “clear_text_http” nocase ascii wide

condition:

 7 of ($str*)

}

rule tricklancer_b {

 strings:

 $str1 = “nsppe” nocase ascii wide

 $str2 = “pb_policy -h nothing” nocase ascii wide

 $str3 = “pb_policy -d” nocase ascii wide

 $str4 = “findProcessListByName” nocase ascii wide

 $str5 = “restoreStateAndDetach” nocase ascii wide

 $str6 = “checktargetsig” nocase ascii wide

 $str7 = “DoInject” nocase ascii wide

 $str8 = “DoUnInject” nocase ascii wide

 condition:

 7 of ($str*)

}

rule tricklancer_c {

 strings:

 $str1 = “is_path_traversal_or_vpns_attack_request” nocase ascii wide

 $str2 = “ns_vpn_process_unauthenticated_request” nocase ascii wide

 $str3 = “mmapshell” nocase ascii wide

 $str4 = “DoUnInject” nocase ascii wide

 $str5 = “CalcDistanse” nocase ascii wide

 $str6 = “checkMyData” nocase ascii wide

 $str7 = “vpn_location_url_len” nocase ascii wide

condition:

 5 of ($str*)  }

If users find problems through the above detection methods, they can alleviate them through the following measures:

(1) Move all Citrix ADC instances behind a VPN or other feature where authentication (preferably multi-factor) exists before accessing Citrix ADC.

(2) Isolate the Citrix ADC appliance from the environment.

(3) Restore Citrix ADC to a secure configuration state.

Reference link: https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF

Mitigation

At present, the official security version has been released to fix this vulnerability. It is recommended that affected users upgrade their protection in time:

https://www.citrix.com/downloads/citrix-adc/

https://www.citrix.com/downloads/citrix-gateway/

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.