ClickCease APT5 exploits unauthenticated remote code execution flaw

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

APT5 exploits unauthenticated remote code execution flaw

Obanla Opeyemi

December 26, 2022 - TuxCare expert team

The U.S. National Security Agency has warned that a Chinese state-sponsored group is exploiting an unauthenticated remote code execution flaw (CVE-2022-27518) to compromise Citrix Application Delivery Controller (ADC) deployments. According to the NSA, a Chinese hacking group known as APT5 has demonstrated capabilities against a Citrix application delivery controller.

According to the NSA and Citrix, APT5 (also known as UNC2630 and MANGANESE), a Chinese state-backed threat actor known to target telecommunications and technology companies, is actively exploiting this vulnerability. APT5 has previously exploited vulnerabilities in Pulse Secure VPNs. The precise details of the exploit are not publicly available.

CVE-2022-27518 is a remote code execution (RCE) vulnerability that affects Citrix ADC or Citrix Gateway when configured as a Security Assertion Markup Language (SAML) service provider (SP) or a SAML identity provider (IdP). A remote, unauthenticated attacker can exploit the critical vulnerability to execute arbitrary code. CVE-2022-27518 did not receive a CVSSv3 score at the time of its initial release.

The NSA’s advisory effectively demolishes a suspected Chinese intelligence operation by revealing its techniques and advising possible targets on how to avoid future attacks. On the other hand, Citrix claims that this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the appliance. Attackers can exploit this vulnerability by targeting vulnerable Citrix ADC instances and bypassing authentication controls to gain access to targeted organizations.

Despite the fact that Citrix has issued an emergency patch to address the vulnerability, it has been reported that “exploits of this issue on unmitigated appliances in the wild have been reported.”

Furthermore, an unauthenticated, remote attacker can exploit the flaw to gain arbitrary code execution on the vulnerable appliance. It goes on to say that there are no workarounds for this vulnerability and that customers who are running an impacted version (those with a SAML SP or IdP configuration) should update immediately.

Its main flaw is the CWE-644, which stands for Improper Control of a Resource Throughout its Lifetime. Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32, Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25, Citrix ADC 12.1-FIPS before 12.1-55.291, and Citrix ADC 12.1-NDcPP before 12.1-55.291 are among the products affected.

The sources for this piece include an article in TheHackerNews.

Watch this news on our Youtube channel: https://www.youtube.com/watch?v=TrZdxrcYprE&t=29s

Summary
APT5 exploits unauthenticated remote code execution flaw
Article Name
APT5 exploits unauthenticated remote code execution flaw
Description
A Chinese state-sponsored group is exploiting an unauthenticated remote code execution flaw (CVE-2022-27518).
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023