Citrix Application Delivery Controller (ADC) and Citrix Gateway users have been urged to check to make sure that their systems are not vulnerable to a critical unauthenticated remote code execution vulnerability, which is being actively exploited by a highly capable Chinese advanced persistent threat (APT) actor and potentially other state-sponsored hacking groups.
Citrix ADC is a comprehensive application delivery and load-balancing solution that is used by healthcare organizations to ensure the constant availability of critical clinical applications, including electronic medical records. Citrix Gateway is used by healthcare organizations for remote access and for providing single sign-on across all applications. The Citrix ADC and Gateway authentication bypass vulnerability is tracked as CVE-2022-27518 and has been assigned a CVSS v3 severity score of 9.8 out of 10. The flaw can be exploited remotely by an unauthenticated actor to execute code and completely compromise the system.
Mandiant has observed a Chinese state-sponsored hacking group exploiting the flaw. The APT actor is tracked by Mandiant as APT5 (aka UNC2630, Keyhole Panda, Manganese) and has been active since at least 2007. The APT group typically targets technology and telecommunications companies, although companies and organizations in other sectors have also been attacked. The Health Sector Cybersecurity Coordination Center (HC3) has recently issued an alert about the vulnerability after it was exploited in cyberattacks on healthcare organizations. It was not possible to attribute the healthcare cyberattacks to any specific threat actor.
HC3 has urged all healthcare organizations to conduct a review of their inventories to see if they use Citrix ADC or Citrix Gateway and check whether these platforms are vulnerable. If so, patching should be prioritized. The vulnerability affects the following Citrix ADC and Gateway versions when they are configured as a Security Assertion Markup Language service provider (SAML SP) or identity provider (SAML IdP).
- Citrix ADC and Citrix Gateway 13.0 prior to version 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 prior to version 12.1-65.25
- Citrix ADC 12.1-FIPS prior to version 12.1-55.291
- Citrix ADC 12.1-NDcPP prior to version 12.1-55.291
To check whether Citrix ADC and Citrix Gateway are vulnerable, users should open the ns.conf file and look for two commands. If either of the commands is in the ns.conf file the platform is likely vulnerable.
- “add authentication samlAction”
- “add authentication samlIdPProfile”
All vulnerable instances of these Citrix platforms should be patched as soon as possible to prevent exploitation of the vulnerability, and it is also strongly recommended to check whether the vulnerability has already been reported. YARA signatures can be accessed through the HC3 alert. If evidence of a compromise is found, all Citrix instances should be moved behind a VPN or other authentication measures should be implemented and multifactor authentication should be enabled. If Citrix ADC appliances are located in environments where malicious activity is detected, they should be isolated and then restored to their last known good state.
The post Critical Citrix ADC and Gateway Vulnerability Exploited in Attacks on Healthcare Organizations appeared first on HIPAA Journal.