Citrix has issued a critical alert calling for immediate action to install updates to certain models of its Application Delivery Controller (ADC) and Gateway products after the discovery of a zero-day vulnerability allowing threat actors to bypass authentication controls.
“Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” the alert says. “Exploits of this issue on unmitigated appliances in the wild have been reported.”
Separately, the U.S. National Security Agency (NSA) issued an advisory with detection and mitigation guidance for tools leveraged by a malicious actor that focuses on exploiting these two products.
The exploit, CVE-2022-27518, is described as allowing unauthenticated remote arbitrary code execution. It affects the following customer-managed products:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
IT environments with Citrix-managed cloud services or Citrix-managed Adaptive Authentication don’t have to take action. Citrix ADC and Citrix Gateway version 13.1 is unaffected.
To be vulnerable, devices must be configured to use Security Assertion Markup Language (SAML) for a single sign-on login, either SAML SP (service provider) or SAML IdP (identity provider). Admins should inspect the ns.config file to see if the line “add authentication samlAction” or “add authentication samlIdPProfile” is present in the affected models. If so they must be updated.
In its advisory the NSA said a threat actor known to security researchers as APT5, UNC2630 or Manganese is going after Citrix ADC and Gateway products.
For defence, it recommends Citrix administrators check key executables, or binaries, such as nsppe, nsaaad, nsconf, nsreadfile, and nsconmsg against known good copies for file integrity.
“A malicious actor enabling continued access [to an IT environment] will likely require modification to legitimate binaries,” the advisory explains.
NSA also recommends that organizations take scheduled tech support bundles and/or
snapshots of their running environment and store them in an offline or otherwise
immutable location to create a forensic history of systems. These backups can be used
to compare running instances or to reconstruct events if suspicious activity is identified, it says.
The advisory also recommends that administrators leverage off-device logging mechanisms for all system logs to look for suspicious behaviour. For example, this particular threat actor is known to leverage the tools that run “pb_policy.” It will show up in logs without being linked to expected administrator activity.
The advisory includes Yara signatures that can be used to detect malware seen being
used by this threat actor in this campaign.
If any suspicious activity is detected, all Citrix ADC instances should be moved behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to being able to access the ADC, the NSA says. Isolate the Citrix ADC appliances from the environment to ensure any malicious activity is contained. Then restore the Citrix ADC to a known good state.