A newly disclosed vulnerability in Citrix application delivery controllers and its Gateway remote access solution allows an unauthenticated attacker to execute arbitrary code, and follow-up guidance from U.S. national security officials indicate that a Chinese-linked advanced persistent threat group has already made use of it.
According to a Citrix security bulletin, a customer’s ADC or Gateway solution must be configured with SAML SP or IdP authentication for the bug to be exploited. The vulnerability affects the following versions: Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32, Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25, Citrix ADC 12.1-FIPS before 12.1-55.291. Citrix ADC 12.1-NDcPP before 12.1-55.291. Citrix ADC and Citrix Gateway version 13.1 is unaffected, as are customers using Citrix cloud-managed services or adaptive authentication.
The bug was discovered during an internal Citrix review and has already been exploited by an unspecified threat actor. The company urged affected parties to update to the latest available build immediately.
“Exploits of this issue on unmitigated appliances in the wild have been reported. Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” the notice reads.
While the Citrix bulletin did not provide any details around attribution, the National Security Agency and the Cybersecurity and Infrastructure Security Agency released an advisory the same day detailing how APT5 — a hacking group that has been tied to the Chinese government and is known for stealing telecommunications and military application technologies in the U.S. and Asia — has been actively targeting Citrix ADC deployments.
NSA Cybersecurity Director Rob Joyce confirmed on Twitter that the hacking group is currently using the vulnerability to compromise Citrix customers and urged affected parties to report any incidents.
“Active exploitation [of] Citrix devices underway by APT5. NSA threat hunting guidance linked below to identify and remediate this activity. Update to the latest Citrix release, check for compromise, and let us know if you find anything,” Joyce said.
All affected customers are advised to update to the 12.1 or 13.0 build versions and set up audit logging to monitor attempted attacks on their controllers or Gateway appliances. There are no other workarounds apart from updating to an unaffected version or disabling SAML authentication and the Citrix blog said the company is not able to provide forensic analysis to determine whether a device or system is compromised.
According to the NSA threat hunting guidance, APT5 has been observed using Citrix ADC vulnerabilities to bypass authentication controls and gain access to victim systems. The agency recommends that affected parties use off-device logging to check for any signs of potential compromise. That includes use of the tool “pb_policy” without being linked to an authenticated administrator, mismatches between the device log and remote logs, unauthorized modifications of user permissions and other suspicious activities.
The NSA advises companies to move all Citrix ADC instances behind a VPN or a solution that leverages multi-factor authentication prior to granting access and isolate the Citrix ADC appliances from the environment. It also includes YARA detection signatures for the malware typically deployed by the group.
According to Mandiant, APT5 is a large threat group that is made up of several subgroups that has focused on hacking satellite communications, telecommunications and technology companies with military applications since at least 2007.
Last year, U.S. officials highlighted 16 common vulnerabilities in networking devices across 10 vendors like Cisco, Citrix and Fortinet, saying threat groups working for Beijing have been using them to hack into telecommunications companies and network providers. The purpose behind these intrusions, according to the agencies, was to establish “a broad network of compromised infrastructure."