Citrix urges admins to patch these dangerous flaws immediately

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Citrix has released a fix for three high-severity vulnerabilities discovered in two of its popular products, and is now urging users to apply the patch immediately.

The company has fixed three flaws found in Citrix ADC and Citrix Gateway. ADC is a load-balancing solution for cloud applications, apparently used by many enterprises to ensure uninterrupted availability and high performance. 

Gateway, on the other hand, is an SSL VPN service that enables secure remote access with identity and access management features, and the linked flaw has been “widely deployed” in the cloud or on-prem company servers. 

Abusable under specific circumstances

The flaws in question are tracked as CVE-2022-27510, CVE-2022-27513, and CVE-2022-25716. The former allows threat actors to bypass authentication measures using alternate paths and channels. To abuse the flaw, Gateway needs to be configured as VPN. 

The second vulnerability is an insufficient data authenticity verification flaw, which allows threat actors to take over a desktop endpoint remotely, via phishing. For this flaw, Gateway needs to be configured as VPN, with RDP proxy functionality configured, as well. 

The final flaw allows cybercriminals to bypass login brute force protection mechanisms. For the vulnerability to be used, the appliance needs to be configured as VPN, or AAA virtual server with “Max Login Attempts” configuration.

"Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the first issue, which is rated as a Critical severity vulnerability," Citrix explained.

"Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible," the company further added.

Here is the list of the affected software and its versions:

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
  • Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.