Critical Citrix zero-day exploited in the wild

Target Industry

This vulnerability poses a potential threat to most sectors. However, APT5 has historical targeting behaviour against Asia-based global telecommunications companies, high-tech manufacturing, and western military application technology organisations.

Overview

Severity level: Critical – Exploitation may result in root-level compromise.

Citrix has recently released details of a new critical vulnerability that, if exploited, may result in an unauthenticated remote threat actor having the ability to perform arbitrary code execution on the targeted system.

The vulnerability is being tracked as CVE-2022-27518.

This vulnerability affects Citrix ADC and Gateway products, but not Citrix-managed cloud services or Citrix-managed Adaptive Authentication.

The US National Security Agency (NSA) has reported that at least on occasion, the Chinese state-sponsored threat actor APT5, has actively exploited this vulnerability in the wild. To counter the threat of APT5, the NSA has released a full threat hunting guide.

Impact

Once successfully exploited, this vulnerability would allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance, thus resulting in root-level compromise.

Vulnerability Detection

The Citrix product versions vulnerable to this CVE are listed below.

Affected Products

• Citrix ADC and Citrix Gateway 13.0 before version 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before version 12.1-65.25
• Citrix ADC 12.1-FIPS before version 12.1-55.291
• Citrix ADC 12.1-NDcPP before version 12.1-55.291

Containment, Mitigations & Remediations

Customers are strongly advised to patch all affected Citrix products to the following patching level:

• Citrix ADC and Citrix Gateway 13.0-58.32 and later releases
• Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
• Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
• Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP

Additionally, it is good practice for customers to move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication such as multi-factor authentication (MFA) prior to being able to access the ADC.

Indicators of Compromise

Associated CVE-2022-27518 IP: 13.0.88[.]16

Threat Landscape

Vulnerabilities such as this are constantly being developed and exploited, and it is up to the cyber security industry to ensure that every effort is being made to mitigate threats. When nation-states are reportedly backing these exploits, it increases the danger posed by them due to the potential resources available.

Threat Group

APT5 is a suspected Chinese state-sponsored threat actor that has been active since at least 2007 and has targeted multiple sectors during its years of activity. These targets include communications providers, high-tech manufacturing firms, and western military technology providers. Most past-victims appear to have affiliation to their corresponding governments via either critical national infrastructure (CNI), or through defence contract partnerships.

The targeting of CNI and defence technology is not new for Chinese sponsored threat actors, as China has historically used stolen intellectual property to advance the nation’s own sectors. It is highly likely that this activity will continue into the foreseeable future, as China continues to grow on the world stage.

Further Information

Citrix Bulletin – CVE-2022-27518