Citrix patches Critical vulnerabilities in Gateway and ADC
Citrix is urging customers to install security updates to address a critical authentication bypass issue, in Citrix ADC and Citrix Gateway.
The company addressed the following three vulnerabilities:
|CVE-2022-27510||Unauthorized access to Gateway user capabilities||CWE-288: Authentication Bypass Using an Alternate Path or Channel||Citrix Gateway, Citrix ADC||Appliance must be configured as a VPN (Gateway)|
|CVE-2022-27513||Remote desktop takeover via phishing||CWE-345: Insufficient Verification of Data Authenticity||Citrix Gateway, Citrix ADC||Appliance must be configured as a VPN (Gateway) and the RDP proxy functionality must be configured|
|CVE-2022-27516||User login brute force protection functionality bypass||CWE-693: Protection Mechanism Failure||Citrix Gateway, Citrix ADC||Appliance must be configured as a VPN (Gateway) OR AAA virtual server and the user lockout functionality “Max Login Attempts” must be configured|
The vendor recommends installing the relevant updated versions as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
- Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
The company highlights that ADC and Gateway versions prior to 12.1 are EOL and recommends customers on those versions upgrade to one of the supported versions.