Citrix announced on Tuesday that Citrix Application Delivery Management (ADM) has a serious vulnerability that might allow an unauthorized attacker to enter as administrator.
Citrix ADM is a centralized management solution that gives you access to your application delivery system and automates administration tasks. It’s set up as a server that connects with agents on appliances that are managed externally.
The newly patched security flaw, known as CVE-2022-27511, is defined as an inappropriate access control vulnerability that might allow an unauthenticated, remote attacker to compromise the system and force an administrator password reset.
Citrix states in their advisory that “the consequences of this could include the administrator password being reset at the next device restart, allowing a hacker with SSH access to login with the default administrator access information after the device has rebooted.” The vulnerability was fixed in tandem with CVE-2022-27512, defined as a resource control problem.
The ADM license service could be momentarily affected due to the problem, prohibiting Citrix ADM from providing new licenses or renewing current ones.
Citrix states that these vulnerabilities affect all supported editions of the Citrix ADM server and Citrix ADM agent, specifically versions 13.1 and 13.0. According to the firm, Citrix ADM 12.1 has achieved end-of-life (EOL) and is no longer maintained.
Customers should upgrade to Citrix ADM 13.1-21.53 or later versions of 13.1 or Citrix ADM 13.0-85.19 or later versions of 13.0, as these versions contain the required changes. The Citrix ADM server, as well as all Citrix ADM agents that are connected to it, must be upgraded.
The IT giant also mentions that the Citrix ADM cloud service has already been updated and that clients that use it do not need to do anything further. Customers unable to resolve the issue with the security patches should separate network communication to the Citrix ADM’s IP address from ordinary network traffic, either physically or conceptually.
What happens when a vulnerability is reported to Citrix
According to the company, Citrix is dedicated to securing its products and clients. Throughout the Secure Development Lifecycle (SDLC), it aims to adhere to industry standards. Citrix has a strong Security Response Process as part of its SDLC program, which accepts vulnerability alerts against Citrix products and services from both customers and researchers.
The Citrix Security Response Team is a global group in charge of receiving, verifying, and publicly disclosing information about security flaws in Citrix products. Citrix’s vulnerability response method, which adheres to the international standard ISO / IEC 29147: 2018, applies to all issues submitted to it in the following process:
Citrix will generate a new case identifier and confirm receipt by the end of the next working day after receiving a vulnerability report.
From the time of release until the End of Life, Citrix will examine flaws in Citrix products and services. The degree of risk and other environmental elements will be used to prioritize the assessment and verification of concerns.
Citrix will collaborate with the reporter throughout the investigation to establish the nature of the vulnerability, obtain necessary technical information, and determine the best course of action. When the initial inquiry is over, the results are sent to the reporter, along with a resolution plan and, if necessary, public disclosure.
Analysis of Variants
Citrix will conduct a thorough investigation to guarantee that comparable problems are detected and that any action taken will address the entire class of problems.
Citrix will update the researcher as the vulnerability handling procedure connected to the reported vulnerability progresses. Citrix’s Security Response team will collaborate with the company’s internal product development teams to resolve the issue. The time it takes to release a repair depends on its complexity and severity.
Citrix will send mitigation information to users when a mitigation or software update is issued, often in the form of a security advisory and software patches or upgrades. If Citrix discovers a risk in a third-party product or service during the vulnerability handling process, they appropriately disclose the issue and organize public releases.