Alert essentials:
On November 8, 2022, Citrix published a security bulletin announcing fixes for three vulnerabilities: CVE-2022-27510, CVE-2022-27513, and CVE-2022-27516. These CVEs allow for unauthorized access, remote desktop takeover, and user login brute force attacks against Citrix appliances. Organizations should review all Citrix ADC and Gateways to ensure they are running the latest firmware versions.

Email Team

Detailed threat description:
Fortified Health Security VTM clients can search for these vulnerabilities using Nessus Professional Plugin ID 167195 in the dashboard:

  • CVE-2022-27510: Appliances configured with SSL VPN functionality or being used as an Independent Computing Architecture Proxy can have authentication bypassed, handing over control to an attacker.
  • CVE-2022-27513: Insufficient verification of data authenticity, allowing remote desktop takeover through phishing attacks. This vulnerability can only be exploited if the appliance is configured as a VPN (Gateway) and the RDP proxy functionality is configured.
  • CVE-2022-27516: User login brute force protection mechanism failure allowing login bypass. This vulnerability can only be exploited if the appliance is configured as a VPN (Gateway) or AAA virtual server, and the user lockout functionality “Max Login Attempts” must be configured.

Impact on healthcare organizations
These vulnerabilities allow threat actors to compromise and take control of Citrix appliances through authentication bypassing, phishing, or login brute forcing. Successful attacks could allow for data exfiltration or ransomware deployment – compromising PHI, patient care, and potentially leading to extended downtime of IT systems.

Affected products / versions

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
  • Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

CVEs

  • CVE-2022-27510
  • CVE-2022-27513
  • CVE-2022-27516


Recommendations

Engineering recommendations:

  • Locate all Citrix ADC/Gateway appliances and ensure they are upgraded to the latest versions

Leadership / program recommendations:

  • Review your organization’s patch management procedures to ensure Citrix and other vendor appliances receive regular updates

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: