Description of Problem
Vulnerabilities have been discovered in Citrix Gateway and Citrix ADC, listed below. Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the first issue, which is rated as a Critical severity vulnerability.
| CVE-ID | Description | CWE | Affected Products | Pre-conditions |
| CVE-2022-27510 | Unauthorized access to Gateway user capabilities | CWE-288: Authentication Bypass Using an Alternate Path or Channel | Citrix Gateway, Citrix ADC | Appliance must be configured as a VPN (Gateway) |
| CVE-2022-27513 | Remote desktop takeover via phishing | CWE-345: Insufficient Verification of Data Authenticity | Citrix Gateway, Citrix ADC | Appliance must be configured as a VPN (Gateway) and the RDP proxy functionality must be configured |
| CVE-2022-27516 | User login brute force protection functionality bypass | CWE-693: Protection Mechanism Failure | Citrix Gateway, Citrix ADC | Appliance must be configured as a VPN (Gateway) OR AAA virtual server and the user lockout functionality “Max Login Attempts” must be configured |
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action.
Please monitor any changes on the Citrix article as well: https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516