Citrix is urging customers to install security updates for a critical authentication bypass vulnerability in Citrix ADC and Citrix Gateway.
Under specific configurations, the three vulnerabilities can enable attackers to gain unauthorized access to the device, perform remote desktop takeover, or bypass the login brute force protection.
“Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the first issue, which is rated as a Critical severity vulnerability,” explains the Citrix security bulletin.
Citrix Gateway is an SSL VPN service providing secure remote access with identity and access management capabilities, widely deployed in the cloud or on on-premise company servers.
Citrix ADC is a load-balancing solution for cloud applications deployed in the enterprise, ensuring uninterrupted availability and optimal performance.
Both products are extensively used by organizations worldwide, and the three flaws impact current and previous versions actively supported by the vendor.
The three vulnerabilities affecting both Citrix Gateway and Citrix ADC are the following:
CVE-2022-27510: Critical-severity authentication bypassing using an alternate path or channel, exploitable only if the appliance is configured as VPN (Gateway).
CVE-2022-27513: Insufficient verification of data authenticity, allowing remote desktop takeover via phishing. The flaw is exploitable only if the appliance is configured as VPN (Gateway), and the RDP proxy functionality is configured.
CVE-2022-27516: Login brute force protection mechanism failure allowing its bypassing. This vulnerability can only be exploited if the appliance is configured as VPN (Gateway) or AAA virtual server with “Max Login Attempts” configuration.
“Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” warns Citrix.
The above flaws impact the following product versions:
Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
Citrix ADC and Citrix Gateway 12.1 before 184.108.40.206
Citrix ADC 12.1-FIPS before 12.1-55.289
Citrix ADC 12.1-NDcPP before 12.1-55.289
Users of these product versions who manage Citrix appliances themselves need to upgrade to the latest available version as soon as possible.
Customers who rely on Citrix for cloud-based management services don’t need to take any action, as the vendor has already applied the security updates.
Note that information about product versions before 12.1 that have reached the end of life isn’t available, so customers still using these versions are recommended to upgrade to a supported release.