Citrix announced Tuesday that Citrix Application Delivery Management (ADM) has a serious vulnerability that could allow an unauthorized attacker to enter as an administrator.
Citrix ADM is a centralized management solution that gives you access to your application delivery system and automates administration tasks. It is set up as a server that connects to agents on externally operated devices.
The newly patched security bug, known as CVE-2022-27511, has been defined as an inappropriate access control vulnerability that could force an unauthorized, remote attacker to compromise with the system and reset the administrator password.
Citrix suggested that this could include “resetting the administrator password to the next device restart, allowing a hacker with SSH access to login with the default administrator access information after rebooting the device.” The vulnerability has been corrected in line with CVE-2022-27512, which is defined as an asset control problem.
The problem may affect the ADM License Service for the moment, preventing Citrix ADM from issuing new licenses or renewing existing ones.
Citrix states that these vulnerabilities affect all supported versions of Citrix ADM Server and Citrix ADM Agent, especially versions 13.1 and 13.0. According to the firm, the Citrix ADM 12.1 has achieved end-of-life (EOL) and is no longer maintained.
Customers should upgrade to later versions of Citrix ADM 13.1-21.53 or 13.1 or later versions of Citrix ADM 13.0-85.19 or 13.0, as these versions contain the necessary modifications. The Citrix ADM Server, as well as all Citrix ADM agents connected to it, need to be upgraded.
The IT giant also mentioned that the Citrix ADM Cloud service has already been updated and that clients who use it need not do anything else. Customers unable to resolve issues with security patches will need to physically or conceptually separate network communications from normal network traffic to Citrix ADM’s IP address.
What happens if a weakness is reported in Citrix
According to the company, Citrix is dedicated to protecting its products and clients. Across the Secure Development Lifecycle (SDLC), it aims to adhere to industry standards. As part of Citrix’s SDLC program, there is a strong security response mechanism that receives vulnerability warnings against Citrix products and services from both customers and researchers.
The Citrix Security Response Team is a global group responsible for obtaining, verifying and disclosing information about security flaws in Citrix products. Citrix’s vulnerability response method, which complies with international standards ISO / IEC 29147: 2018, applies to all issues submitted to it in the following process:
Citrix will create a new case identifier and confirm receipt at the end of the next working day after receiving a vulnerability report.
From the time of release to the end of life, Citrix will examine the flaws in Citrix products and services Risk levels and other environmental factors will be used to prioritize the assessment and verification of concerns.
Citrix will collaborate with the reporter during the investigation to establish the nature of the vulnerability, obtain the necessary technical information, and determine the best course of action. Upon completion of the preliminary investigation, the results are sent to the reporter, along with a resolution plan and, if necessary, made public.
Citrix will conduct a thorough investigation to guarantee that comparative problems have been identified and that any action taken will solve all class problems.
Citrix will update the researcher as the vulnerability handling method progresses with the vulnerabilities reported. Citrix’s security response team will work with the company’s internal product development team to resolve the issue. The time it takes to publish a repair depends on its complexity and severity.
When a mitigation or software update is issued, Citrix will send mitigation information to users, often in the form of a security consultation and software patch or upgrade. If Citrix detects a risk to a third party product or service during the vulnerability handling process, they will properly disclose the problem and arrange for a public disclosure.