Dec 14, 2022Ravie Lakshmanan
The U.S. National Security Agency (NSA) on Tuesday said[1]
a threat actor tracked as APT5 has been actively exploiting a
zero-day flaw in Citrix Application Delivery Controller (ADC) and
Gateway to take over affected systems.
The critical remote code execution vulnerability, identified as
CVE-2022-27518[2], could allow an
unauthenticated attacker to execute commands remotely on vulnerable
devices and seize control.
Successful exploitation, however, requires that the Citrix ADC
or Citrix Gateway appliance is configured as a SAML service
provider (SP) or a SAML identity provider (IdP).
The following supported versions of Citrix ADC and Citrix
Gateway are affected by the vulnerability –
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
Citrix ADC and Citrix Gateway versions 13.1 are not impacted.
The company also said there are no workarounds available “beyond
disabling SAML authentication or upgrading to a current build.”
The virtualization services provider said it’s aware of a “small
number of targeted attacks in the wild” using the flaw, urging
customers to apply the latest patch to unmitigated systems.
APT5[3], also known as Bronze
Fleetwood, Keyhole Panda, Manganese, and UNC2630, is believed to
operate on behalf of Chinese interests. Last year, Mandiant
revealed[4]
espionage activity targeting verticals that aligned with government
priorities outlined in China’s 14th Five-Year Plan.
Those attacks entailed the abuse of a then-disclosed flaw in
Pulse Secure VPN devices (CVE-2021-22893[5], CVSS score: 10.0) to
deploy malicious web shells and exfiltrate valuable information
from enterprise networks.
“APT5 has demonstrated capabilities against Citrix Application
Delivery Controller deployments,” NSA said. “Targeting Citrix ADCs
can facilitate illegitimate access to targeted organizations by
bypassing normal authentication controls.”
Microsoft, last month, pointed out[6]
Chinese threat actors’ history of discovering and using zero days
to their advantage before being picked up by other adversarial
collectives in the wild.
News of the Citrix bug also comes a day after Fortinet revealed
a severe vulnerability that also facilitates remote code execution
in FortiOS SSL-VPN devices (CVE-2022-42475[7], CVSS score: 9.3).
VMWare releases updates for code execution vulnerabilities
In a related development, VMware disclosed[8]
details of two critical flaws impacting ESXi, Fusion, Workstation,
and vRealize Network Insight (vRNI) that could result in command
injection and code execution.
- CVE-2022-31702[9] (CVSS score: 9.8) –
Command injection vulnerability in vRNI - CVE-2022-31703[10] (CVSS score: 7.5) –
Directory traversal vulnerability in vRNI - CVE-2022-31705[11] (CVSS score: 5.9/9.3) –
Heap out-of-bounds write vulnerability in EHCI controller
“On ESXi, the exploitation is contained within the VMX sandbox
whereas, on Workstation and Fusion, this may lead to code execution
on the machine where Workstation or Fusion is installed,” the
company said in a security bulletin for CVE-2022-31705.
Found this article interesting? Follow us on Twitter [12] and LinkedIn[13] to read more exclusive
content we post.
References
- ^
said
(media.defense.gov) - ^
CVE-2022-27518
(www.citrix.com) - ^
APT5
(www.mandiant.com) - ^
revealed
(thehackernews.com) - ^
CVE-2021-22893
(thehackernews.com) - ^
pointed
out (thehackernews.com) - ^
CVE-2022-42475
(thehackernews.com) - ^
disclosed
(www.vmware.com) - ^
CVE-2022-31702
(www.vmware.com) - ^
CVE-2022-31703
(www.vmware.com) - ^
CVE-2022-31705
(www.vmware.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2022/12/hackers-actively-exploiting-citrix-adc.html