DIVD-2023-00001 - Citrix systems vulnerable for CVE-2022-27510 and/or CVE-2022-27518
|Case lead||Frank Breedijk|
|Recommendation||Update your system to the latest patched version|
|Patch status||Fully patched|
|Last modified||24 May 2023 15:51|
When Fox-IT researcher Yun Hu read these two security
- Citrix security bulletin for CVE-2022-27518 bulletins from Citrix, he decided that it was time to start scanning the internet for Citrix servers vulnerable to CVE-2022-27510 and (later) CVE-2022-27518. And he has published a very nice blog post.
Early Jan 2023, Fox-IT and DIVD agreed to cooperate and share data so that DIVD could warn the owners of vulnerable systems.
These two of CVEs are critical.
CVE-2022-27510 - Unauthorized access to Gateway user capabilities
This vulnerability leaves your appliance open to being taken over remotely by an attacker if it is “operating as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy)”
CVE-2022-27518 - Unauthenticated remote arbitrary code execution
This vulnerability allows an attacker to take over an appliance if it is configured as a SAML Service Provider or SAML Identity Provider.
What you can do
If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it, especially if you’re utilizing any of the following features:
- SSL VPN
- ICA Proxy
- RDP Proxy
- SAML (Either service provider or Identity provider)
If you are not using one of these servers we still recommend that you patch to a non-vulnerable version to prevent that your appliance becomes vulnerable when you start using one of these functions in the future.
What we are doing
Fox-IT has shared lists with vulnerable systems on a regular basis, and DIVD has sent out notifications to owners of vulnerable systems.
We did this over a timespam of three months.
We stopped notifying system owners after this time.
|08 Nov 2022||Citrix releases a security bulletin for CVE-2022-27510, CVE-2022-27513 and CVE-2022-27516|
|24 Nov 2022||Fox-IT starts scanning for and identifying vulnerable Citrix servers|
|13 Dec 2022||Citrix releases a security bulletin for CVE-2022-27518|
|28 Dec 2022||Fox-IT publishes blog post|
|16 Jan 2023||DIVD and Fox-IT agree to cooperate.|
|17 Jan 2023||First data shared between Fox-IT and DIVD|
|18 Jan 2023||First version of this case file” file|
|18 Jan 2023||DIVD sent out a first batch of notifications.|
|22 Feb 2023||DIVD sent out a second round of notifications.|
|24 May 2023||DIVD sent out a third and final round of notifications.|
|24 May 2023||Case closed.|
- Citrix security bulletin for CVE-2022-27510, CVE-2022-27513 and CVE-2022-27516
- Citrix security bulletin for CVE-2022-27518
- Fox-IT blogpost by Yun Hu