The U.S. National Security Agency (NSA) on Tuesday mentioned a menace actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected programs.
The important distant code execution vulnerability, recognized as CVE-2022-27518, might permit an unauthenticated attacker to execute instructions remotely on susceptible units and seize management.
Successful exploitation, nonetheless, requires that the Citrix ADC or Citrix Gateway equipment is configured as a SAML service supplier (SP) or a SAML id supplier (IdP).
The following supported variations of Citrix ADC and Citrix Gateway are affected by the vulnerability –
- Citrix ADC and Citrix Gateway 13.0 earlier than 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 earlier than 12.1-65.25
- Citrix ADC 12.1-FIPS earlier than 12.1-55.291
- Citrix ADC 12.1-NDcPP earlier than 12.1-55.291
Citrix ADC and Citrix Gateway variations 13.1 are usually not impacted. The firm additionally mentioned there aren’t any workarounds obtainable “past disabling SAML authentication or upgrading to a present construct.”
The virtualization companies supplier mentioned it is conscious of a “small variety of focused assaults within the wild” utilizing the flaw, urging clients to use the newest patch to unmitigated programs.
APT5, often known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, is believed to function on behalf of Chinese pursuits. Last 12 months, Mandiant revealed espionage exercise focusing on verticals that aligned with authorities priorities outlined in China’s 14th Five-Year Plan.
Those assaults entailed the abuse of a then-disclosed flaw in Pulse Secure VPN units (CVE-2021-22893, CVSS rating: 10.0) to deploy malicious net shells and exfiltrate priceless info from enterprise networks.
“APT5 has demonstrated capabilities in opposition to Citrix Application Delivery Controller deployments,” NSA mentioned. “Targeting Citrix ADCs can facilitate illegitimate entry to focused organizations by bypassing regular authentication controls.”
Microsoft, final month, identified Chinese menace actors’ historical past of discovering and utilizing zero days to their benefit earlier than being picked up by different adversarial collectives within the wild.
News of the Citrix bug additionally comes a day after Fortinet revealed a extreme vulnerability that additionally facilitates distant code execution in FortiOS SSL-VPN units (CVE-2022-42475, CVSS rating: 9.3).
VMWare releases updates for code execution vulnerabilities
In a associated improvement, VMware disclosed particulars of two important flaws impacting ESXi, Fusion, Workstation, and vRealize Network Insight (vRNI) that would lead to command injection and code execution.
- CVE-2022-31702 (CVSS rating: 9.8) – Command injection vulnerability in vRNI
- CVE-2022-31703 (CVSS rating: 7.5) – Directory traversal vulnerability in vRNI
- CVE-2022-31705 (CVSS rating: 5.9/9.3) – Heap out-of-bounds write vulnerability in EHCI controller
“On ESXi, the exploitation is contained inside the VMX sandbox whereas, on Workstation and Fusion, this will likely result in code execution on the machine the place Workstation or Fusion is put in,” the corporate mentioned in a safety bulletin for CVE-2022-31705.