Skip links

Citrix patches critical ADC flaw the NSA says is already under attack from China

The China-linked crime gang APT5 is already attacking a flaw in Citrix’s Application Delivery Controller (ADC) and Gateway products that the vendor patched today.

Citrix says the flaw, CVE-2022-27518, “could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance” if it is configured as a SAML service provider or identity provider (SAML SP, SAML IdP).

Unusually, Citrix has a policy of not revealing the Common Vulnerability Scoring System (CVSS) scores for its flaws. CVSS rates flaws on a ten point scale, with anything rated above 9.0 deemed Critical and therefore worthy of urgent attention due to the significant risk of exploitation.

The Register suggests the flaw may be closer to a 10.0 score than a 9.0 rating, because Citrix’s announcement of the flaw was quickly followed by publication of a threat hunting guidance [PDF] from the United States’ National Security Agency (NSA), which believes a China-linked crime gang known as APT5 (aka UNC2630 and MANGANESE) has already “demonstrated capabilities” to attack Citrix ADCs.

The NSA’s threat hunting guidance offers a detailed and lengthy procedure to detect a compromised ADC and warns that if one of the steps doesn’t find evidence of an attack, others may.

“Treat these detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems,” the guidance states. “Artefacts may vary based on the environment and the stage of that activity. As such, NSA recommends investigating any positive result even if other detections return no findings.”

Citrix’s advice is to enable audit logging and apply the patches it has prepared for its products.

Security vendor Tenable has analyzed the flaw and at the time of writing had not found proof-of-concept code for the flaw.

Citrix’s ADCs are something of a favorite for Chinese attackers – four flaws in the product made the NSA’s 25 most attacked flaws list in 2020.

One of the flaws on that list is the notorious CVE-2019-19781 that allowed arbitrary code execution with no account credentials.

Citrix announced the flaw in late December 2019, but patches did not appear until January 20 2020.

Citrix’s blog post and support article about the new flaw don’t include an apology or expression of regret. Long-suffering ADC customers might not accept one, anyway. ®