Skip to the content.

DIVD-2023-00001 - Citrix systems vulnerable for CVE-2022-27510 and/or CVE-2022-27518

Our reference DIVD-2023-00001
Case lead Frank Breedijk
Researcher(s)
  • Yun Hu (Fox-IT)
CVE(s)
Products
  • Citrix ADC
  • Citrix Gateway
Versions
  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47 (CVE-2022-27510)
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12 (CVE-2022-27510)
  • Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21 (CVE-2022-27510)
  • Citrix ADC 12.1-FIPS before 12.1-55.289 (CVE-2022-27510)
  • Citrix ADC 12.1-NDcPP before 12.1-55.289 (CVE-2022-27510)
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 (CVE-2022-27518)
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 (CVE-2022-27518)
  • Citrix ADC 12.1-FIPS before 12.1-55.291 (CVE-2022-27518)
  • Citrix ADC 12.1-NDcPP before 12.1-55.291 (CVE-2022-27518)
Recommendation Update your system to the latest patched version
Patch status Fully patched
Status Closed
Last modified 24 May 2023 15:51

Summary

When Fox-IT researcher Yun Hu read these two security

Early Jan 2023, Fox-IT and DIVD agreed to cooperate and share data so that DIVD could warn the owners of vulnerable systems.

These two of CVEs are critical.

CVE-2022-27510 - Unauthorized access to Gateway user capabilities

This vulnerability leaves your appliance open to being taken over remotely by an attacker if it is “operating as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy)”

CVE-2022-27518 - Unauthenticated remote arbitrary code execution

This vulnerability allows an attacker to take over an appliance if it is configured as a SAML Service Provider or SAML Identity Provider.

What you can do

If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it, especially if you’re utilizing any of the following features:

If you are not using one of these servers we still recommend that you patch to a non-vulnerable version to prevent that your appliance becomes vulnerable when you start using one of these functions in the future.

What we are doing

Fox-IT has shared lists with vulnerable systems on a regular basis, and DIVD has sent out notifications to owners of vulnerable systems.

We did this over a timespam of three months.

We stopped notifying system owners after this time.

Timeline

Date Description
08 Nov 2022 Citrix releases a security bulletin for CVE-2022-27510, CVE-2022-27513 and CVE-2022-27516
24 Nov 2022 Fox-IT starts scanning for and identifying vulnerable Citrix servers
13 Dec 2022 Citrix releases a security bulletin for CVE-2022-27518
28 Dec 2022 Fox-IT publishes blog post
16 Jan 2023 DIVD and Fox-IT agree to cooperate.
17 Jan 2023 First data shared between Fox-IT and DIVD
18 Jan 2023 First version of this case file” file
18 Jan 2023 DIVD sent out a first batch of notifications.
22 Feb 2023 DIVD sent out a second round of notifications.
24 May 2023 DIVD sent out a third and final round of notifications.
24 May 2023 Case closed.
gantt title DIVD-2023-00001 - Citrix systems vulnerable for CVE-2022-27510 and/or CVE-2022-27518 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00001 - Citrix systems vulnerable for CVE-2022-27510 and/or CVE-2022-27518 (126 days) :2023-01-18, 2023-05-24 section Events Citrix releases a security bulletin for CVE-2022-27510, CVE-2022-27513 and CVE-2022-27516 : milestone, 2022-11-08, 0d Fox-IT starts scanning for and identifying vulnerable Citrix servers : milestone, 2022-11-24, 0d Citrix releases a security bulletin for CVE-2022-27518 : milestone, 2022-12-13, 0d Fox-IT publishes blog post : milestone, 2022-12-28, 0d DIVD and Fox-IT agree to cooperate. : milestone, 2023-01-16, 0d First data shared between Fox-IT and DIVD : milestone, 2023-01-17, 0d First version of this case file” file : milestone, 2023-01-18, 0d DIVD sent out a first batch of notifications. : milestone, 2023-01-18, 0d DIVD sent out a second round of notifications. : milestone, 2023-02-22, 0d DIVD sent out a third and final round of notifications. : milestone, 2023-05-24, 0d Case closed. : milestone, 2023-05-24, 0d

More information