Critical RCE Alarm on Citrix ADC and Citrix Gateway
The security vulnerability tracked as CVE-2022-27518 is caused by incorrect access restrictions on systems configured as SAML SP or SAML IdP. An unauthenticated, remote threat actor can gain unauthorized access to the system and execute arbitrary code.
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability;
- Citrix ADC And Citrix Gateway 13.0, Before 13.0-58.32
- Citrix ADC And Citrix Gateway 12.1, Before 12.1-65.25
- Pre 12.1-55.291 Citrix ADC 12.1-FIPS
- 1-55.291 Pre-Citrix ADC 12.1-NDcPP
Citrix ADC and Citrix Gateway version 13.1 are not affected by the vulnerability. In addition, the vulnerability is actively exploited by threat actors. The following scripts specify whether the Citrix ADC or Citrix Gateway is configured as SAML SP or SAML IdP. If any of these scripts are present in the ns.conf file and the version is affected, the application needs to be updated;
- Add Authentication SamlIdPProfile
- Add Authentication SamlAction
It is recommended that users using vulnerable versions and configurations immediately apply the published updates in order not to be the target of attacks that can be carried out using the vulnerability. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action regarding the vulnerability.
ZeroBot: New Botnet Malware Using IoT Security Vulnerabilities
A new botnet malware named ZeroBot has been detected that spreads through IoT security vulnerabilities. Developed with Golang, Zerobot exploits multiple vulnerabilities detected in IoT devices to gain access to targeted systems and spread further.
Vulnerabilities exploited in the deployment process of Zerobot malware include bugs in Zyxel firewalls, TOTOLINK routers, F5 BIG-IP, Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, and FLIR AX8 thermal imaging cameras. It has also been observed that the botnet targets i386, amd64, arm, mips64le, mipsle, arm64, mips, mips64, ppc64, ppc64le, riscv64 and s390x CPU architectures. After communicating with the command and control (C2) server via the WebSocket Protocol, additional instructions allow Zerobot to execute arbitrary commands and launch attacks over various network protocols, including TCP, TLS, UDP, ICMP, and HTTP.
Zerobot is developed with a propagation exploit module that makes it harder to detect as it infects more IoT devices. Zerobot has been identified as a critical threat as it can gain unauthorized access to vulnerable systems and prevent targets from stopping the Zerobot program through its AntiKill module.
In this context, in order not to be the target of attacks that can be carried out using Zerobot, it is recommended to use the most up-to-date versions of the systems and programs used and to prevent the shared IoC findings related to the botnet from the security solutions in use.
Critical RCE Alarm in FortiOS sslvpnd
A critical security vulnerability has been detected in FortiOS’s SSL-VPN (sslvpnd) that could allow threat actors to remote code execution (RCE) on affected installations.
The security vulnerability tracked as CVE-2022-42475 is caused by a Heap-based Buffer Overflow affecting the sslvpnd daemon component. An unauthenticated, remote threat actor can manipulate the SSL-VPN component through specially crafted data, triggering a stack-based buffer overflow and executing arbitrary code on the targeted system. Fortinet states that this vulnerability is actively exploited and recommends that users check their systems for the following indicators of compromise.
If the following log string is observed more than once in user systems;
- Logdesc=”Application Crashed” And Msg=”[…] Application:sslvpnd,[…], Signal 11 Received, Backtrace: […]
If the existence of the following structures is detected in the file system;
- /Data/Lib/Libips.Bak
- /Data/Lib/Libgif.So
- /Data/Lib/Libiptcp.So
- /Data/Lib/Libipudp.So
- /Data/Lib/Libjepg.So
- /Var/.Sslvpnconfigbk
- /Data/Etc/Wxd.Conf
- /Flash
If connections are made from FortiGate to the following suspicious IP addresses:
- 34.130.40:444
- 131.189.143:30080,30081,30443,20443
- 36.119.61:8443,444
- 247.168.153:8033
Threat actors actively exploit the vulnerability. In this context, in order not to be the target of attacks that can be carried out using vulnerabilities, it is recommended to immediately implement the published updates and prevent the specified consensus indicators (IoC) from the security solutions in use.