                                                   JPCERT-AT-2022-0033
                                                             JPCERT/CC
                                                            2022-12-14

                 <<< JPCERT/CC Alert 2022-12-14 >>>

Alert Regarding Vulnerability (CVE-2022-27518) in Citrix ADC and Citrix Gateway

       https://www.jpcert.or.jp/english/at/2022/at220033.html


I. Overview
On December 13, 2022 (local time), Citrix released information
regarding a vulnerability (CVE-2022-27518) in Citrix Application
Delivery Controller (Citrix ADC) and Citrix Gateway. An unauthenticated,
remote attacker exploiting the vulnerability may execute arbitrary code.

    Citrix
    Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518
    https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518

Citrix is aware of a small number of targeted attacks in the wild using
this vulnerability. The users of the affected products are recommended
to take actions such as applying updates according to the information
provided by Citrix or other parties.


II. Affected Products
The following products and versions are affected by this vulnerability.

  - Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  - Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  - Citrix ADC 12.1-FIPS before 12.1-55.291
  - Citrix ADC 12.1-NDcPP before 12.1-55.291

The products are affected by the vulnerability if Citrix ADC or Citrix
Gateway are configured as a SAML SP or a SAML IdP. Users can check
the configuration file to determine if their Citrix ADC or Citrix Gateway
is configured as a SAML SP or a SAML IdP.


III. Solution
Citrix has provided versions that addressed the vulnerability. Please
consider updating to the versions by referring to the information
provided by Citrix.

  - Citrix ADC and Citrix Gateway 13.0-58.32 and later releases
  - Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
  - Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
  - Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP


IV. Related information
On December 13, 2022 (local time), the US National Security Agency
(NSA) released guidance on this vulnerability. NSA has confirmed attack
activities that exploit this vulnerability, and provide steps to look
for possible artifacts of this type of activity.

    National Security Agency（NSA）
    APT5: Citrix ADC Threat Hunting Guidance
    https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF


V. References
    Citrix
    Critical security update now available for Citrix ADC, Citrix Gateway
    https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/


If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/