Citrix Gateway and Citrix ADC customers could be at immediate risk due to security flaws. Here's what you need to know.
On November 8th, 2022, Citrix released an advisory detailing several security flaws (CVE-2022-27510, CVE-2022-27513, and CVE-2022-27516) in Citrix Gateway and Citrix Application Delivery Controller (ADC). Citrix Gateway is commonly used as a remote access solution and Citrix ADC is a networking appliance for web applications. Without a security patch, a remote attacker may be able to bypass authentication and gain access to an affected Gateway or ADC appliance. From there the attacker could conduct further exploitation.
Quick facts: what you need to know now
- Only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the critical authentication bypass vulnerability CVE-2022-27510.
- The vulnerabilities affect the following products and versions:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.21
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
- This only applies to customer-managed Citrix ADC and Citrix Gateway appliances.
Next Steps for All Citrix Customers:
- Upgrade to a non-vulnerable version of ADC or Gateway as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
- Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
- Note: Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.
- If you require technical assistance with this issue, please contact Citrix Technical Support.
- Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.
If you have any questions, please reach out to the Risk + Response Team at firstname.lastname@example.org!