Citrix has launched safety updates to handle a essential authentication bypass flaw within the software supply controller (ADC) and Gateway that may very well be exploited to take management of affected programs.
Profitable exploitation of the problems may allow an adversary to achieve licensed entry, carry out distant desktop takeover, and even circumvent defenses in opposition to login brute-force makes an attempt below particular configurations.
- CVE-2022-27510 – Unauthorized entry to Gateway consumer capabilities
- CVE-2022-27513 – Distant desktop takeover through phishing
- CVE-2022-27516 – Person login brute-force safety performance bypass
The next supported variations of Citrix ADC and Citrix Gateway are affected by the failings –
- Citrix ADC and Citrix Gateway 13.1 earlier than 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 earlier than 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 earlier than 12.1.65.21
- Citrix ADC 12.1-FIPS earlier than 12.1-55.289
- Citrix ADC 12.1-NDcPP earlier than 12.1-55.289
Exploitation, nonetheless, banks on the prerequisite that the home equipment are both configured as a VPN (Gateway) or, alternatively, an authentication, authorization and accounting (AAA) digital server within the case of CVE-2022-27516.
One high of that, CVE-2022-27513 and CVE-2022-27516 additionally apply solely when the RDP proxy function and the consumer lockout performance “Max Login Makes an attempt” are arrange, respectively.
The cloud computing and virtualization know-how firm mentioned that no motion is required from clients counting on cloud providers managed immediately by Citrix.
Jarosław Jahrek Kamiński, a researcher at Polish penetration testing agency Securitum, has been credited with discovering and reporting the vulnerabilities.
“Affected clients of Citrix ADC and Citrix Gateway are really helpful to put in the related up to date variations of Citrix ADC or Citrix Gateway as quickly as potential,” Citrix mentioned in an advisory.