Critical authentication-bypass vulnerabilities in Citrix and VMware offerings are threatening devices running remote workspaces with complete takeover, the vendors warned this week.
Given both vendors’ history of exploitation, admits are warned of prioritizing patching, alerts both disclosures prompted CISA on Wednesday.
Citrix Gateway, A Perfect Avenue for Infesting Orgs:
As for Citrix, a critical vulnerability tracked as CVE-2022-27510 (with a CVSS vulnerability-severity score of 9.8 out of 10) allows unauthorized access to the Citrix Gateway when device is used as SSL VPN solution. Consequently, allowing access to the internal company applications from any device through the Internet, and offering single sign-on across applications and devices.
This way the vulnerability would give a threat actor means to easily access initial data, then dig deeper into an organization’s cloud footprint and create nuisance across the network.
In a published advisory, Citrix also noted that its Application Delivery Controller (ADC) product, that provides admin visibility into applications across multiple cloud instances, is vulnerable to remote desktop takeover (CVE-2022-27513, CVSS 8.3), and brute force protection bypass (CVE-2022-27516, CVSS 5.3).
According to researcher Satnam Narang, Citrix Gateway and ADC have always been a favorite target to cybercriminals, thanks to how many parts of an organization they provide entrée into. Thus, marking the importance of patching.
"Citrix ADC and Gateways have been routinely targeted by a number of threat actors over the last few years through the exploitation of CVE-2019-19781, a critical path traversal vulnerability that was first disclosed in December 2019 and subsequently exploited beginning in January 2020 after exploit scripts for the flaw became publicly available," Narang wrote in a Wednesday blog.
"CVE-2019-19781 has been leveraged by state-sponsored threat with ties to China and Iran, as part of ransomware attacks against various entities including the healthcare sector, and was recently included as part of an updated list of the top vulnerabilities exploited by the People’s Republic of China state-sponsored actors from early October," he added.
Users should be quick in updating to Gateway versions 13.1-33.47, 13.0-88.12, and 12.1-65.21 to patch the latest issues.
VMware Workspace ONE Assist, a trio of cybercrime threat:
On the other hand, VMware has reported three authentication-bypass bugs, all in its Workspace ONE Assist for Windows. The bugs (CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, all with CVSS 9.8) allows both local and remote attackers to gain administrative access privileges without the need to authenticate, giving them full run of targeted devices.
Workspace ONE Assist is a remote desktop product that is mainly used by tech support to troubleshoot and fix issues relating to IT, for employees from afar. As such, it operates with the highest levels of privilege, potentially giving remote attackers an ideal initial access target and pivot point to other corporate resources.
Moreover, VMware revealed two additional vulnerabilities in Workspace ONE Assist. One is a cross-site scripting (XSS) flaw (CVE-2022-31688, CVSS 6.4), and the other (CVE-2022-31689, CVSS 4.2) that allows a "malicious actor who obtains a valid session token to authenticate to the application using that token," notes vendor’s Tuesday advisory.
VMware as well has a history of being a target to cybercriminals. A proof-of-concept (PoC) exploit was almost immediately published on GitHub and tweeted out to the world after a major Workspace ONE Access vulnerability (used to distribute corporate apps to distant employees) identified as CVE-2022-22954 was revealed in April.
Consequently, researchers from multiple security firms started looking for probes and exploit attempts very soon thereafter — with an ultimate motive of infecting targets with numerous or establishing a backdoor via Log4Shell.
Online users are advised to update their Workspace ONE Assist to version 22.10 in order to patch all of the most recently disclosed problems.