Threat Advisory: Critical Authentication-Bypass Vulnerabilities in Citrix and VMware 

(CVE-2022-27510, CVE-2022-31685, CVE-2022-31685, CVE-2022-31685,)

Event Summary

Critical authentication-bypass vulnerabilities in Citrix and VMware offerings are threatening devices running remote workspaces with complete takeover. For Citrix, a critical bug tracked as CVE-2022-27510 – with a CVSS vulnerability-severity score of 9.8 out of 10 – allows unauthenticated access to Citrix Gateway when the appliance is used as an SSL VPN solution.

VMware has reported three authentication-bypass bugs, all in its Workspace ONE Assist for Windows. The bugs—CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, all with a high score of CVSS 9.8—allow both local and remote attackers to gain administrative access privileges without the need to authenticate, giving them full run of targeted devices. Workspace ONE Assist is a remote desktop product that’s mainly used by tech support to troubleshoot and fix IT issues for employees from afar; as such, it operates with the highest levels of privilege, potentially giving remote attackers an ideal initial access target and pivot point to other corporate resources.

Details

Product Affected	Vulnerable Version	CVE-CVSS Associated	Risk / Details for vulnerability	Recommendations
Citrix Gateway, Citrix ADC	Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47 Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12 Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21 Citrix ADC 12.1-FIPS before 12.1-55.289 Citrix ADC 12.1-NDcPP before 12.1-55.289	CVE-2022-27510	Unauthorized access to Gateway user capabilities	Update to recommended version*
VMware Workspace ONE Assist (Assist)	VMware Workspace ONE 21.x, 22.x	CVE-2022-31685, CVE-2022-31685, CVE-2022-31685,		Update to 22.10

SOD Actions

Security On-Demand recommends updating all affected devices to the latest OS versions, as stated by the corresponding vendors as well. Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:*

• Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
• Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
• Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
• Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
• Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP

As for VMware, users should update to version 22.10 of the Workspace ONE Assist application.

SOD Threat Recon Unit will also keep track of any exploitation tool or PoC (Proof of Concept) that could leverage the usage of these vulnerabilities to exploit systems actively. Information about new IoCs and IoAs will be included proactively as part of the monitoring mechanism included in the ThreatWatch service on all service tiers.

Please contact your Security On-Demand Customer Success Manager if you have any questions about this alert.

Additional Resources

• darkreading.com/vulnerabilities-threats/patch-asap-critical-citrix-vmware-bugs-remote-workspaces-takeover
• support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516
• nvd.nist.gov/vuln/detail/CVE-2022-31685
• nvd.nist.gov/vuln/detail/CVE-2022-31686
• nvd.nist.gov/vuln/detail/CVE-2022-31687
• vmware.com/security/advisories/VMSA-2022-0028.html