[German]Two vulnerabilities CVE-2022-27507 and CVE-2022-27508 exist in Citrix ADC and Citrix Gateway, for which the vendor has issued a security bulletin. The vulnerabilities discovered in Citrix ADC and Citrix Gateway allow attackers to launch a distributed denial-of-service (DDoS) attack. The vendor has released updates to address these vulnerabilities. U.S. CISA is urging immediate patching of the vulnerabilities, which are rated medium and high.
Advertising
I already became aware of these vulnerabilities during the night via the following tweet from. Citrix has published security bulletin CTX457048 on the issue as of May 25, 2022.
CVE-2022-27507: medium severity
The CVE-2022-27507 vulnerability, rated medium severity, allows an "Authenticated denial of service" with uncontrolled resource consumption, causing products to go down. This requires a virtual server with DTLS enabled on the VPN (gateway), and either 'HDX Insight for EDT traffic' or 'SmartControl' configured. The vulnerability affects Citrix ADC and Citrix Gateway with the following firmware versions:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-21.50
- Citrix ADC and Citrix Gateway 13.0 before 13.0-85.19
- Citrix ADC and Citrix Gateway 12.1 before 12.1-64.17
- Citrix ADC 12.1-FIPS before 12.1-55.278
- Citrix ADC 12.1-NDcPP vor 12.1-55.278
Customers can use the following CLI command to determine if DTLS is enabled:
show vpn vserver
If the above entry is present, the product is configured to be vulnerable to the vulnerability. Then an appropriate update should be installed. Customers can check if "HDX Insight for EDT traffic" or "SmartControl" has been configured by looking in the ns.conf file for a VPN vserver policy binding with an ICA_REQUEST type:
Advertising
bind vpn vserver-policy -priority 100 -type ICA_REQUEST
If the above entry is present, the product is configured to be vulnerable to the vulnerability. Then an appropriate update should be installed.
CVE-2022-27508: High risk
This vulnerability is categorized with a high threat level and also allows an authenticated denial of service, as an attacker can force an uncontrolled resource consumption. However, the appliance must be configured as a virtual VPN (gateway) or AAA server. Citrix ADC and Citrix Gateway 12.1-64.16 are affected by this vulnerability.
All other supported versions of Citrix ADC and Citrix Gateway, including FIPS and NDcPP versions, are not affected by this issue.
Install updates or disable features
Citrix recommends that affected customers install the appropriate updated versions of Citrix ADC or Citrix Gateway as soon as possibl
- Citrix ADC and Citrix Gateway 13.1-21.50 and later versions
- Citrix ADC and Citrix Gateway 13.0-85.19 and later versions of 13.0
- Citrix ADC and Citrix Gateway 12.1-64.17 and newer versions of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.278 and newer versions of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.278 and later versions of 12.1-NDcPP
Customers who are only affected by CVE-2022-27507, have DTLS enabled, and have "HDX Insight for EDT traffic" or "SmartControl" configured can alternatively disable "HDX Insight for EDT traffic" to resolve the issue without upgrading. Citrix has published details in security bulletin CTX457048.
