Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
December 26, 2022 - TuxCare expert team
The U.S. National Security Agency has warned that a Chinese state-sponsored group is exploiting an unauthenticated remote code execution flaw (CVE-2022-27518) to compromise Citrix Application Delivery Controller (ADC) deployments. According to the NSA, a Chinese hacking group known as APT5 has demonstrated capabilities against a Citrix application delivery controller.
According to the NSA and Citrix, APT5 (also known as UNC2630 and MANGANESE), a Chinese state-backed threat actor known to target telecommunications and technology companies, is actively exploiting this vulnerability. APT5 has previously exploited vulnerabilities in Pulse Secure VPNs. The precise details of the exploit are not publicly available.
CVE-2022-27518 is a remote code execution (RCE) vulnerability that affects Citrix ADC or Citrix Gateway when configured as a Security Assertion Markup Language (SAML) service provider (SP) or a SAML identity provider (IdP). A remote, unauthenticated attacker can exploit the critical vulnerability to execute arbitrary code. CVE-2022-27518 did not receive a CVSSv3 score at the time of its initial release.
The NSA’s advisory effectively demolishes a suspected Chinese intelligence operation by revealing its techniques and advising possible targets on how to avoid future attacks. On the other hand, Citrix claims that this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the appliance. Attackers can exploit this vulnerability by targeting vulnerable Citrix ADC instances and bypassing authentication controls to gain access to targeted organizations.
Despite the fact that Citrix has issued an emergency patch to address the vulnerability, it has been reported that “exploits of this issue on unmitigated appliances in the wild have been reported.”
Furthermore, an unauthenticated, remote attacker can exploit the flaw to gain arbitrary code execution on the vulnerable appliance. It goes on to say that there are no workarounds for this vulnerability and that customers who are running an impacted version (those with a SAML SP or IdP configuration) should update immediately.
Its main flaw is the CWE-644, which stands for Improper Control of a Resource Throughout its Lifetime. Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32, Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25, Citrix ADC 12.1-FIPS before 12.1-55.291, and Citrix ADC 12.1-NDcPP before 12.1-55.291 are among the products affected.
The sources for this piece include an article in TheHackerNews.
Watch this news on our Youtube channel: https://www.youtube.com/watch?v=TrZdxrcYprE&t=29s
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...