Thousands unpatched Citrix servers vulnerable via critical vulnerabilities

Sicherheit (Pexels, allgemeine Nutzung)[German]Citrix has been releasing security updates for critical vulnerabilities in Citrix ADC and gateway products and issuing security alerts for them over the past few months. However, it appears that thousands of Citrix ADCs and Citrix Gateways are vulnerable with respect to vulnerabilities CVE-2022-27510 and CVE-2022-27518. The vulnerabilities allow an attacker to take over the affected instances.


CVE-2022-27510 and CVE-2022-27518

Vulnerability CVE-2022-27510 allows unauthorized access to Citrix ADCs and Citrix Gateways. Citrix has issued an advisory Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516 and also firmware updates for affected products as of November 8, 2022. Vulnerability CVE-2022-27510 has been assigned a CVE index of 9.8 (see this Rapid7 report).

Vulnerability CVE-2022-27518 was addressed in the Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 on December 13, 2022. The vulnerability allows an unauthenticated attacker to execute arbitrary code in Citrix Gateways and Citrix ADCs. I had reported in the blog post Critical Vulnerability CVE-2022-27518 in Citrix ADC and Gateway.

Citrix noted at the time that there are a small number of targeted attacks that exploit this vulnerability. in the above blog post, it was already pointed out in the comments that there were discrepancies between the date of the alert (Dec. 13, 2022) and the firmware versions of the updates mentioned in the advisory. Some security updates were released well before Dec. 13, 2022, with no reference to the CVE-2022-27518 vulnerability in the change logs.

Still thousands of Citrix devices unpatched

Citrix ADC and gateway servers are typically connected to the Internet due to the nature of the devices (appliances). Services such as Shodan and Censys regularly scan the Internet and identify these devices and servers, respectively. Security researcher Yun Zheng Hu of Fox IT has published this alarming post in this December 28, 2022. He has used the above services to look for Citrix ADC and Citrix Gateway servers whose SSL VPN/Gateway service is reachable from the Internet. As of November 11, 2022, approximately 28,000 servers were found on the Internet.

However, the query does not return any version information. However, the response to the queried servers reports an MD5 hash-like value that could be used to determine the Citrix ADC and Citrix Gateway product versions. Security researcher Yun Zheng Hu goes into detail in his article about how he created the evaluation of the Citrix devices found and the selection of the firmware versions used.


Citrix ADC and Gateway applicances in the Internet
Source: Fox IT

The above diagram shows the listing of Citrix ADCs and gateways accessible via the Internet, sorted by firmware version. The bars show the number of devices found that are accessible via the Internet. The colors indicate whether a firmware version is unpatched with respect to the vulnerabilities mentioned above. Green bars indicate instances that are at the current patch level. But there is the orange bar to version 12.1-65.21, which has the same several thousands of device instances (more than 3,500) that are vulnerable via the CVE-2022-27518 vulnerability. Other firmware versions are unpatched against both vulnerabilities. The issue was first raised by Bleeping Computer here. I'm going to assume that the blog readership responsible for such Citrix devices has provided them with appropriate updates.

Similar articles:
Critical Vulnerability CVE-2022-27518 in Citrix ADC and Gateway
Vulnerability in Citrix Workspace App for Windows allows password theft
Deleted Citrix Advisory CTX474060 says "ADCs shows up to version 13.1 33.x license status as 'freemium' after upgrade"
Citrix and the Open SSL 3.0 vulnerabilities CVE-2022-3602, CVE-2022-3786

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *