Alert Logic is actively researching a remote code execution (RCE) vulnerability in Citrix ADC and Citrix Gateway (CVE-2022-27518). Customers using a vulnerable version that is configured as SAML SP or ldP are affected and urged to install an updated build immediately.
Who is affected?
Customers using the following Citrix ADC and Citrix Gateway versions are affected: 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with an SAML SP or IdP configuration.
CISA/NSA has identified limited exploitation of this vulnerability in the wild per their advisory.
For more information about this vulnerability, refer to this blog from Citrix.
What can I do?
No workaround is available, so customers are recommended to install the current 12.1 build (including FIPS and NDcPP variants) or the current 13.0 build (13.0-88.16). As an alternative, customers may upgrade to the 13.1 version, which is not affected.
How is Alert Logic helping me?
Alert Logic is actively researching this threat to build detection capabilities. Alert Logic appliances and infrastructure are not affected by this vulnerability.
Network IDS: Alert Logic is actively researching this threat to build detection capabilities.
Log Management: Alert Logic has deployed initial telemetry analytics to aid in detection research.
Vulnerability Scanning: Alert Logic released scan coverage on December 15, 2022, by 22:30 CST to identify this vulnerability. An unauthenticated scan performed after this release will check for the version of Citrix ADC/Gateway. If a vulnerable version is found, an exposure will be raised for CVE-2022-27518.
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
12/16/2022: Alert Logic released scan coverage on December 15, 2022, by 22:30 CST to identify this vulnerability.