APT5 exploits unauthenticated remote code execution flaw
The U.S. National Security Agency has warned that a Chinese state-sponsored group is exploiting an unauthenticated remote code execution flaw (CVE-2022-27518) to compromise Citrix Application Delivery Controller (ADC) deployments. According to the NSA, a Chinese hacking group known as APT5 has demonstrated capabilities against a Citrix application delivery controller.
According to the NSA and Citrix, APT5 (also known as UNC2630 and MANGANESE), a Chinese state-backed threat actor known to target telecommunications and technology companies, is actively exploiting this vulnerability. APT5 has previously exploited vulnerabilities in Pulse Secure VPNs. The precise details of the exploit are not publicly available.
CVE-2022-27518 is a remote code execution (RCE) vulnerability that affects Citrix ADC or Citrix Gateway when configured as a Security Assertion Markup Language (SAML) service provider (SP) or a SAML identity provider (IdP). A remote, unauthenticated attacker can exploit the critical vulnerability to execute arbitrary code. CVE-2022-27518 did not receive a CVSSv3 score at the time of its initial release.
The NSA’s advisory effectively demolishes a suspected Chinese intelligence operation by revealing its techniques and advising possible targets on how to avoid future attacks. On the other hand, Citrix claims that this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the appliance. Attackers can exploit this vulnerability by targeting vulnerable Citrix ADC instances and bypassing authentication controls to gain access to targeted organizations.
Despite the fact that Citrix has issued an emergency patch to address the vulnerability, it has been reported that “exploits of this issue on unmitigated appliances in the wild have been reported.”
Furthermore, an unauthenticated, remote attacker can exploit the flaw to gain arbitrary code execution on the vulnerable appliance. It goes on to say that there are no workarounds for this vulnerability and that customers who are running an impacted version (those with a SAML SP or IdP configuration) should update immediately.
Its main flaw is the CWE-644, which stands for Improper Control of a Resource Throughout its Lifetime. Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32, Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25, Citrix ADC 12.1-FIPS before 12.1-55.291, and Citrix ADC 12.1-NDcPP before 12.1-55.291 are among the products affected.
The sources for this piece include an article in TheHackerNews.
Watch this news on our Youtube channel: https://www.youtube.com/watch?v=TrZdxrcYprE&t=29s