Citrix Issues Patches for Critical Flaw Affecting ADC and Gateway Products

Citrix has released security updates^[1]
to address a critical authentication bypass flaw in the application
delivery controller (ADC) and Gateway products that could be
exploited to take control of affected systems.

Successful exploitation of the issues could enable an adversary
to gain authorized access, perform remote desktop takeover, and
even circumvent defenses against login brute-force attempts under
specific configurations.

• CVE-2022-27510 – Unauthorized access to
  Gateway user capabilities
• CVE-2022-27513 – Remote desktop takeover via
  phishing
• CVE-2022-27516 – User login brute-force
  protection functionality bypass

The following supported versions of Citrix ADC and Citrix
Gateway are affected by the flaws –

• Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
• Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
• Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
• Citrix ADC 12.1-FIPS before 12.1-55.289
• Citrix ADC 12.1-NDcPP before 12.1-55.289

Exploitation, however, banks on the prerequisite that the
appliances are either configured as a VPN (Gateway) or,
alternatively, an authentication, authorization and accounting
(AAA^[2]) virtual server in the
case of CVE-2022-27516.

One top of that, CVE-2022-27513 and CVE-2022-27516 also apply
only when the RDP proxy feature and the user lockout functionality
“Max Login Attempts” are set up, respectively.

The cloud computing and virtualization technology company said
that no action is required from customers relying on cloud services
managed directly by Citrix.

Jarosław Jahrek Kamiński, a researcher at Polish penetration
testing firm Securitum, has been credited with discovering and
reporting the vulnerabilities.

“Affected customers of Citrix ADC and Citrix Gateway are
recommended to install the relevant updated versions of Citrix ADC
or Citrix Gateway as soon as possible,” Citrix said in an
advisory.