Today we released builds to fix CVE-2022-27518, which affects the following Citrix ADC and Citrix Gateway versions: 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with an SAML SP or IdP configuration to be affected.

As part of our internal reviews and in working with our security partners, we have identified vulnerabilities in Citrix ADC and Citrix Gateway 12.1 and 13.0 before 13.0-58.32 builds. Customers who are using an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately as this vulnerability has been identified as critical (CTX474995). No workarounds are available for this vulnerability.

We are aware of a small number of targeted attacks in the wild using this vulnerability. In this blog and the related security bulletin, we are sharing limited technical details to protect customers from exploits. However, the National Security Agency (NSA) has released a Cybersecurity Advisory (CSA) with detection and mitigation guidance for tools leveraged by a malicious actor against ADC and Gateway. The Cybersecurity Advisory is available here.

If you are a Citrix-managed cloud services or Citrix-managed Adaptive Authentication customer, no action is required. This update applies to customer-managed Citrix ADC or Citrix Gateway appliances only.

Recommended Next Steps

All customers using the affected builds should either update to the current 12.1 build (including FIPS and NDcPP variants) or to the current 13.0 build (13.0-88.16). Customers using an affected build with a SAML SP or IdP configuration are urged to install the current build immediately. As an alternative, customers may upgrade to the 13.1 version, which is not affected.

Customers who are running affected builds can set up audit logging to monitor for unauthorized activity on ADC or Gateway devices. Learn more at https://docs.citrix.com/en-us/citrix-adc/current-release/system/audit-logging/configuring-audit-logging.html. Customers using Citrix ADC or Citrix Gateway instances on an SDX platform will need to upgrade VPX instances (the underlying SDX platform itself is not affected). Likewise, Citrix ADC configurations that do not use SAML authentication (e.g., traditional load balancing configurations) and related products such as Citrix Application Delivery Management (ADM) and Citrix SD-WAN are not affected.

Update installation

Permanent fixes are available to download for Citrix ADC and Citrix Gateway.

Watch the upgrade with ADM guide in the video below.

Customers using affected builds should either update to the latest 12.1 release or move to the most recent version, 13.0-88.16, or a 13.1 build.

We recommend following the Citrix ADC secure configuration and deployment guide, available at https://docs.citrix.com/en-us/citrix-adc-secure-deployment.html.

Technical Assistance

If you encounter any issues during your update, you can contact Citrix Technical Support at https://www.citrix.com/support/open-a-support-case.

Learn More, and Stay Up to Date

The related security bulletin (CTX474995) is available in the Citrix Knowledge Center at https://support.citrix.com/article/CTX474995.

The Citrix ADC secure deployment guide provides best practices for Citrix ADC MPX, VPX, and SDX security and is available at https://docs.citrix.com/en-us/citrix-adc-secure-deployment.html.

Sign up with security bulletin notifications at https://support.citrix.com/user/alerts.

FAQs

Is my customer/deployment affected?
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix ADC and Citrix Gateway versions 13.1 are unaffected.

How do I know if our Citrix ADC or Citrix Gateway is configured as SAML SP or SAML IdP?
You can determine if your Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file for the following commands:

  • “add authentication samlaction” – Appliance is configured as a SAML SP

OR

  • add authentication samlIdpProfile” – Appliance is configured as a SAML IdP

If either of the commands are present in the ns.conf file and you are using an affected build, then the appliance must be updated.

What should customers do now?
Limited exploits of this vulnerability have been reported. We strongly urge customers on the affected builds of Citrix ADC and Citrix Gateway to install the updated builds as soon as possible:

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP

What is the impact of this attack?
Please refer to the related security bulletin (CTX474995) available on the Citrix Knowledge Center at https://support.citrix.com/article/CTX474995.

Is Citrix planning to deliver a code fix?
Yes, Citrix has delivered a code fix. Please refer to the related security bulletin (CTX474995) available on the Citrix Knowledge Center at https://support.citrix.com/article/CTX474995.

Is there a workaround or mitigation that I could use instead of updating?
Citrix recommends applying the builds released December 13, 2022. No workarounds are available beyond disabling SAML authentication or upgrading to a current build.

How urgently should I fix my deployment?
Customers using an affected build are urged to install the recommended updates immediately as this vulnerability has been identified as critical (CTX474995). We are aware of a small number of targeted attacks in the wild using this vulnerability.

Does this affect only on-prem deployments or are cloud services also impacted?
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Can we fix this vulnerability using Web Application Firewall signatures?
No, it is not possible to fix the vulnerability with Web Application Firewall signatures.

How will I know if my device is already compromised?
Citrix is unable to provide forensic analysis to determine if a system may have been compromised. As noted, the National Security Agency (NSA) has released a Cybersecurity Advisory (CSA) with detection and mitigation guidance for tools leveraged by a malicious actor against ADC. The Cybersecurity Advisory is available here.

What is the CVSS score for this issue?
We do not publish CVSS scores. For more information, please refer to the security bulletin (CTX474995) available in the Citrix Knowledge Center at https://support.citrix.com/article/CTX474995.

Do you have more details on the Citrix ADC and Citrix Gateway vulnerability? Can I have more information that is not in the bulletin?
No. Citrix is limiting information to the details contained in its Security Bulletin [CTX474995] at https://support.citrix.com/securitybulletins.

Does Citrix provide forensic analysis?
Citrix recommends that customers reference the NSA Cybersecurity Advisory, available here, which includes detection and mitigation guidance for tools leveraged by a malicious actor against Citrix ADC and Citrix Gateway.

Why did Citrix not reach out directly to us (customers) in advance?
To best protect all of our customers, Citrix releases security bulletins to customers and the public simultaneously. This is standard industry practice to ensure that all customers can upgrade as soon as possible. Notifications were provided to customers who have signed up to receive security bulletins. We recommend that customers update their support alerts settings to receive future security bulletins at https://support.citrix.com/user/alerts.

How can I get support?
If you encounter any issues during your update, you can contact Citrix Technical Support at https://www.citrix.com/support/open-a-support-case.

Where can I learn more about this vulnerability?
You can find more details in the following:

How do I stay up to date on the latest security updates?
Sign up for security bulletin notifications at https://support.citrix.com/user/alerts.

How do I learn more about reporting any potential security vulnerabilities?
Citrix welcomes input regarding the security of its products and takes seriously any potential vulnerabilities. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

Citrix remains committed to incorporating your feedback as we adapt our communication and customer support offerings. Reach out to us at secure@citrix.com with your feedback.