IT and cybersecurity companies Citrix and Fortinet have announced security updates to patch Zero-Day vulnerabilities that were actively exploited by threat actors.
The U.S. National Security Agency (NSA) released an advisory discussing a threat actor known as APT5 (also known as UNC2630 or MANGANESE and linked to Chinese threat actors), which "demonstrated capabilities" against Citrix's Application Delivery Controller (ADC) and Gateway devices.
This vulnerability is a critical remote code execution (RCE) bug, tracked as CVE-2022-27518, which would allow the threat actor to "facilitate illegitimate access to targeted organizations by bypassing normal authentication controls."
Successful exploitation does require that the Citrix ADC or Gateway appliance is configured as a SAML service provider (SP) or a SAML identity provider (IdP).
The following supported versions of Citrix ADC and Gateway are affected by this vulnerability:
-
Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
-
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
-
Citrix ADC 12.1-FIPS before 12.1-55.291
-
Citrix ADC 12.1-NDcPP before 12.1-55.291
See the advisory from the NSA, APT5: Citrix ADC Threat Hunting Guidance, for more information, including TTPs, IOCs, and mitigations.
The Fortinet Zero-Day is also an RCE that impacts the company's FortiOS SSL-VPN product and is tracked as CVE-2022-42475. Fortinet discussed the vulnerability in a recent advisory:
"A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Fortinet is aware of an instance where this vulnerability was exploited in the wild."
Security researcher Kevin Beaumont shared on Mastodon that the vulnerability was being exploited to gain access to corporate networks and then deploy ransomware, though he did not share what ransomware gang could be behind this.
The following Fortinet products are affected by this vulnerability:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Fortinet also provided IOCs and urged users to immediately validate their systems against the IOCs.
Follow SecureWorld News for more stories related to cybersecurity.