On Dec. 16, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert regarding Citrix ADC and Gateway vulnerabilities. The Department of Health and Human Services says that U.S. healthcare entities have already been compromised by the exploitation of this vulnerability.
The sector alert states that “Citrix released patches for a vulnerability that impacts both their Application Delivery Controller and Gateway platforms. This vulnerability allows a remote attacker to completely compromise a target system. These vulnerabilities are known to be actively exploited by a highly capable state-sponsored adversary.”
HC3 is urging healthcare and public health organizations to review their inventory for these systems and implement these patches.
The sector alert adds that “Citrix has recently patched what they describe as a ‘critical’ zero-day vulnerability in their Application Delivery Controller and Gateway. This vulnerability, which is actively compromised, allows an unauthenticated attacker to potentially execute commands remotely on vulnerable devices and completely compromise a system. This report contains the steps necessary to completely protect a system from potential compromise.”
Further, “These vulnerabilities are known to be actively exploited by a Chinese state-sponsored advanced persistent threat known as APT5, and also UNC2630 and MANGANESE. Separately, the US Department of Health and Human Services is aware of U.S. healthcare organizations that have already been compromised by the exploitation of the vulnerability described in this report, although in each case the specific attacker has not yet been identified.”
This vulnerability is tracked as CVE-2022-27518 and impacts Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32; Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25; Citrix ADC 12.1-FIPS before 12.1-55.291; and Citrix ADC 12.1-NDcPP before 12.1-55.291 nec lorem versions of Citrix ADC and Citrix Gateway. Moreover, any of the affected versions of the two platforms must be configured as a SAML (Security Assertion Markup Language) service provider or identity provider.
The sector alert concludes by saying that “Upon detection of compromise of these vulnerabilities, the following actions are recommended by the National Security Agency:
- Move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to being able to access the ADC.
- Isolate the Citrix ADC appliances from the environment to ensure any malicious activity is contained.
- Restore the Citrix ADC to a known good state.”