In late 2022, two vulnerabilities, CVE-2022-27510 and CVE-2022-27518, were reported in Citrix ADC and Citrix Gateway. These two Citrix vulnerabilities are a critical issue with a CVSS score of 9.8, and reports are still being made about how these CVEs are used in hacking attempts.

Many Citrix ADCs and Gateways with corresponding security vulnerabilities are still neglected on the internet. There is an opinion that it is impossible to catch cases with CVE-2022-27510 and CVE-2022-27518 vulnerabilities accurately because Citrix’s HTTP banner does not indicate the exact version name. However, Citrix ADC/Gateway’s version information can be accurately found using OSINT technology, and attackers can use the found version information to infiltrate the Citrix ADC/Gateway server left on the internet. 

Ongoing CVE-2022-27510, CVE-2022-27518 Exploitation

Let’s look at the two vulnerabilities of Citrix ADC/Gateway reported a few months ago, CVE-2022-27510 and CVE-2022-27518.

According to the CVE-2022-27510 vulnerability description published by Citrix on November 8, 2022, this authentication bypass vulnerability affects Citrix ADC (formerly NetScaler) and Citrix Gateway, allowing login bypass to penetrate Citrix. In addition, cyber researchers from cyber insurance company At-Bay said in the first week of this year, they had spotted the Royal Ransomware group actively exploiting this vulnerability. 

Furthermore, regarding CVE-2022-27518, on December 13, 2022, NSA (National Security Agency) announced a security notice saying that APT5, a hacking attack group, is actively exploiting Citrix ADC servers using this vulnerability.

Citrix ADC/Gateway Left Exposed on the Internet

According to Criminal IP analysis, tens of thousands of Citrix ADC/Gateway systems are still exposed on the internet, and thousands of machines have this vulnerability.

Search Query: Title:”Citrix Gateway”

Statistics of countries where Citrix Gateway is left exposed
Statistics of countries where Citrix Gateway is left exposed

You can immediately check Citrix ADC and Gateway server appliances left on the internet with Criminal IP’s HTML Title filter. More details can be found at Criminal IP.  

Search Query: Title:”Citrix Gateway”

Criminal IP Asset Search for "Citrix Gateway": Appliances of Citrix ADC and Gateway servers left on the internet can be found
Criminal IP Asset Search for “Citrix Gateway”: Appliances of Citrix ADC and Gateway servers left on the internet can be found

Check Citrix Versions With the OSINT Tool

As mentioned earlier, since version information is not exposed in the HTTP banner, it is challenging to find Citrix ADC/Gateway systems with CVE-2022-27510 and CVE-2022-27518. However, there is a way to find out the version of the device using the OSINT technique. The Citrix ADC/Gateway system has a certain hash value, which can be easily found on the internet. This value is unique for each version, so if you compare the hash value, you can find out the version of the system.  For example, in the screenshot of the GitHub below, you can see that the hash value corresponding to 26df0e65fba681faaeb333058a8b28bf has a version of 12.1-50.28.  

The version information of the Citrix ADC/Gateway system can be found through the unique hash value for each version
The version information of the Citrix ADC/Gateway system can be found through the unique hash value for each version

After searching for the Title:”Citrix Gateway” in Criminal IP, we randomly checked the banner information among the results.  As shown in the screenshot below, the hash value is marked in the HTML body, and the hash value ‘2b46554c087d2d5516559e9b8bc1875d’ shown on the screen is from version 13.0-84.11. That is, the version of Citrix Gateway running on this IP address is 13.0-84.11.

You can check the version information of Citrix Gateway through the hash value of the banner search result of Criminal IP
You can check the version information of Citrix Gateway through the hash value of the banner search result of Criminal IP

If you look through the editor, you can easily see that the hash value is configured in the HTML code as shown below. Looking at the parameters here, the hash value ‘?v=6e7b2de88609868eeda0b1baf1d34a7e’ is added to the URL.

You can check the version information of Citrix ADC/Gateway with the hash value written in the HTML code
You can check the version information of Citrix ADC/Gateway with the hash value written in the HTML code

Given this information, it was possible to check the Citrix ADC/Gateway version information exposed to CVE-2022-27510 and CVE-2022-27518 vulnerabilities. And the following are some examples of mapping CVE-2022-27510 or CVE-2022-27518 by Citrix version. 

Vulnerable Citrix ADC/Gateway Versions

  • 12.1-65.21 (CVE-2022-27518 vulnerability exists)
  • 12.1-63.22 (CVE-2022-27510 & CVE-2022-27518 vulnerabilities exist)
  • 13.0-58.32 (CVE-2022-27510 vulnerability exists)
  • 12.1-57.18 (CVE-2022-27510 & CVE-2022-27518 vulnerabilities exist)
  • 13.0-47.24 (CVE-2022-27510 & CVE-2022-27518 vulnerabilities exist)
  • 12.1-63.23 (CVE-2022-27510 & CVE-2022-27518 vulnerabilities exist)
  • 12.1-55.18 (CVE-2022-27510 & CVE-2022-27518 vulnerabilities exist)
  • 12.1-65.15 (CVE-2022-27510 & CVE-2022-27518 vulnerabilities exist)
  • 13.0-83.27 (CVE-2022-27510 vulnerability exists)
  • 13.0-83.29 (CVE-2022-27510 vulnerability exists)
  • 12.1-62.27 (CVE-2022-27510 vulnerability exists)
  • 13.0-87.9 (CVE-2022-27510 vulnerability exists)
  • 13.0-52.24 (CVE-2022-27510 & CVE-2022-27518 vulnerabilities exist)
  • 13.0-71.44 (CVE-2022-27510 vulnerability exists)

Check Vulnerable Citrix Versions by Hash Value

By checking vulnerable Citrix versions with the hash value, it is possible to accurately determine which systems have CVE-2022-27510 and CVE-2022-27518, which are serious security vulnerabilities of Citrix ADC/Gateway. Furthermore, you can search using the hash value directly. For example, if you want to check only the vulnerable version 12.1-65.21, you can use its hash value, c1b64cea1b80e973580a73b787828daf, as it is in the search. 

Search Query: “Citrix Gateway” “c1b64cea1b80e973580a73b787828daf” country: KR

Criminal IP Asset Search for the hash value of the vulnerable version: IP addresses using the vulnerable version can be searched
Criminal IP Asset Search for the hash value of the vulnerable version: IP addresses using the vulnerable version can be searched

A serious vulnerability has been discovered that allows unauthorized access and arbitrary code execution, but you cannot be helpless against security threats without knowing which version you are using. Even if Citrix version information is not disclosed, IT assets with Citrix vulnerabilities can be identified by searching for the hash value of a specific version found through the OSINT tool.A quick security response is needed as abuse cases have been continuously reported. In addition, more versions than expected have been exposed to CVE-2022-27510 and CVE-2022-27518 vulnerabilities since the discovery of CVEs last year.

Check out this article on Fortinet Authentication Vulnerability for relevant information.

Source : Criminal IP (https://www.criminalip.io/)

Related Article(s) :

CVE-2022-40684: Fortinet Authentication Vulnerability That Threatens Fortinet Users