Citrix is urging customers to install security updates to address a critical authentication bypass issue, in Citrix ADC and Citrix Gateway.
The company addressed the following three vulnerabilities:
| CVE-ID | Description | CWE | Affected Products | Pre-conditions |
| CVE-2022-27510 | Unauthorized access to Gateway user capabilities | CWE-288: Authentication Bypass Using an Alternate Path or Channel | Citrix Gateway, Citrix ADC | Appliance must be configured as a VPN (Gateway) |
| CVE-2022-27513 | Remote desktop takeover via phishing | CWE-345: Insufficient Verification of Data Authenticity | Citrix Gateway, Citrix ADC | Appliance must be configured as a VPN (Gateway) and the RDP proxy functionality must be configured |
| CVE-2022-27516 | User login brute force protection functionality bypass | CWE-693: Protection Mechanism Failure | Citrix Gateway, Citrix ADC | Appliance must be configured as a VPN (Gateway) OR AAA virtual server and the user lockout functionality “Max Login Attempts” must be configured |
Advertisements
The vendor recommends installing the relevant updated versions as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
- Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
The company highlights that ADC and Gateway versions prior to 12.1 are EOL and recommends customers on those versions upgrade to one of the supported versions.
