A critical bug has been identified in the Citrix Application Delivery Management console (ADM) that, if exploited, could lead to a serious security breach including allowing the attackers access to reset admin passwords.
Citrix warned customers to immediately deploy the security updates released to address this vulnerability. Citrix ADM is a web-based solution aimed at providing admins with access to a secure, centralized cloud-based console through which they can easily carry out and manage cloud Citrix and on-premises deployments such as Citrix Gateway, Citrix Secure Web Gateway, and Citrix Application Delivery Controller.
Tracked as CVE-2022-27511, the bug in question was reported by Florian Hauser of Code White and is said to have been caused by an Improper Access Control weakness. When exploited, the bug is capable of allowing unauthenticated threat actors unlimited remote access to all supported versions the of Citrix ADM server and Citrix ADM agents.
Following discovery, Citrix clarified in a press release that the impact of the vulnerability can go as far as allowing admin password reset at the next device reboot, and gives hackers with ssh access the ability to connect with default admin credentials once the reboot has been completed.
Immediate Upgrade or Mitigation
Citrix has also advised that customers who are currently running the supported versions of Citrix ADM and Citrix ADM servers should begin to carry out upgrades or mitigation actions immediately.
The company iterated that the flaws have indeed been addressed, but an upgrade must be made on both the Citrix ADM servers and all Citrix ADM agents, going as far as to provide detailed instructions on how to upgrade the servers of all associated CDM agents in its documentation website.
Furthermore, they also specified that those who, for some reason or another, are unable to carry out immediate upgrades can at least try to mitigate associated risks by following the instructions shared by the company
This instruction entails segmenting network traffic to the Citrix ADM’s IP address from that of the standard network traffic, either physically or logically. Doing this, the company mentioned, will greatly reduce the risk of exploitation.
The company also released a patch (CVE-2022-27512) the same week of a security flaw that could lead to a temporary break of the license server if exploited.