The U.S. Nationwide Safety Company (NSA) on Tuesday mentioned a menace actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Software Supply Controller (ADC) and Gateway to take over affected methods.
The important distant code execution vulnerability, recognized as CVE-2022-27518, may permit an unauthenticated attacker to execute instructions remotely on susceptible gadgets and seize management.
Profitable exploitation, nonetheless, requires that the Citrix ADC or Citrix Gateway equipment is configured as a SAML service supplier (SP) or a SAML id supplier (IdP).
The next supported variations of Citrix ADC and Citrix Gateway are affected by the vulnerability –
- Citrix ADC and Citrix Gateway 13.0 earlier than 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 earlier than 12.1-65.25
- Citrix ADC 12.1-FIPS earlier than 12.1-55.291
- Citrix ADC 12.1-NDcPP earlier than 12.1-55.291
Citrix ADC and Citrix Gateway variations 13.1 will not be impacted. The corporate additionally mentioned there aren’t any workarounds accessible “past disabling SAML authentication or upgrading to a present construct.”
The virtualization providers supplier mentioned it is conscious of a “small variety of focused assaults within the wild” utilizing the flaw, urging prospects to use the most recent patch to unmitigated methods.
APT5, often known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, is believed to function on behalf of Chinese language pursuits. Final yr, Mandiant revealed espionage exercise focusing on verticals that aligned with authorities priorities outlined in China’s 14th 5-12 months Plan.
These assaults entailed the abuse of a then-disclosed flaw in Pulse Safe VPN gadgets (CVE-2021-22893, CVSS rating: 10.0) to deploy malicious net shells and exfiltrate precious data from enterprise networks.
“APT5 has demonstrated capabilities towards Citrix Software Supply Controller deployments,” NSA mentioned. “Focusing on Citrix ADCs can facilitate illegitimate entry to focused organizations by bypassing regular authentication controls.”
Microsoft, final month, identified Chinese language menace actors’ historical past of discovering and utilizing zero days to their benefit earlier than being picked up by different adversarial collectives within the wild.
Information of the Citrix bug additionally comes a day after Fortinet revealed a extreme vulnerability that additionally facilitates distant code execution in FortiOS SSL-VPN gadgets (CVE-2022-42475, CVSS rating: 9.3).
VMWare releases updates for code execution vulnerabilities
In a associated growth, VMware disclosed particulars of two important flaws impacting ESXi, Fusion, Workstation, and vRealize Community Perception (vRNI) that would lead to command injection and code execution.
- CVE-2022-31702 (CVSS rating: 9.8) – Command injection vulnerability in vRNI
- CVE-2022-31703 (CVSS rating: 7.5) – Listing traversal vulnerability in vRNI
- CVE-2022-31705 (CVSS rating: 5.9/9.3) – Heap out-of-bounds write vulnerability in EHCI controller
“On ESXi, the exploitation is contained inside the VMX sandbox whereas, on Workstation and Fusion, this will result in code execution on the machine the place Workstation or Fusion is put in,” the corporate mentioned in a safety bulletin for CVE-2022-31705.
