What vulnerabilities were discovered in Citrix Virtual Apps and Desktop?

Two vulnerabilities were identified in the Session Recording component: CVE-2024-8068 (CVSS 5.1) allowing escalation to NetworkService Account access, and CVE-2024-8069 (CVSS 5.1) enabling Remote Code Execution with NetworkService Account privileges. The Shadowserver Foundation has detected active exploitation attempts.

Which versions are affected and what are the recommended updates?

Affected versions include Citrix Virtual Apps and Desktops versions 16.0 up to specific versions of 2407, 1912 LTSR, 2203 LTSR, and 2402 LTSR. Users should upgrade to: 2407 hotfix 24.5.200.8 or later, 1912 LTSR CU9 hotfix 19.12.9100.6 or later, 2203 LTSR CU5 hotfix 22.03.5100.11 or later, or 2402 LTSR CU1 hotfix 24.02.1200.16 or later.

What are the attack conditions according to Citrix?

According to Citrix, CVE-2024-8068 requires an attacker to be an authenticated user in the same Windows Active Directory domain, while CVE-2024-8069 requires the attacker to be on the same intranet as the session recording server. However, these conditions are disputed by security researchers.

Advisory

Security flaws in Citrix Virtual Apps session recording component reported

Q: What is the technical cause of these vulnerabilities?

The vulnerabilities stem from a misconfigured MSMQ (Microsoft Message Queuing) instance with insecure permissions that uses BinaryFormatter for deserialization, which Microsoft has deemed inherently unsafe. The vulnerabilities are accessible via HTTP, making them potentially exploitable remotely.

Q: Is there a dispute about the severity of these vulnerabilities?

Yes, while Citrix classifies these as medium-severity authenticated vulnerabilities, watchTowr researchers argue they are more severe, describing them as 'point-click-full-takeover' and have published a proof-of-concept exploit. The Shadowserver Foundation urges immediate updates regardless of the severity debate.

published: Nov. 14, 2024

Take action: If you are using Citrix and Virtual apps, we can only repeat the message from Shadowserver - While there a debate on whether these are remotely exploitable without auth, we urge you to update your Citrix installations NOW!

Learn More

Summary: Security researchers have identified multiple vulnerabilities in Citrix Virtual Apps and Desktop's Session Recording component, which could allow attackers to execute code and escalate privileges under certain conditions.

Citrix classifies these as medium-severity authenticated vulnerabilities, while watchTowr researchers argue they are more severe, describing them as "point-click-full-takeover" and publishing proof-of-concept exploit. The Shadowserver Foundation has detected active exploitation attempts.

The Shadowserver foundation have a simple message: "While there is discussion on whether these are remotely exploitable without auth, we urge you to update your installations NOW"

Vulnerability details:

CVE-2024-8068 (official CVSS score 5.1) - Allows escalation to NetworkService Account access. Per claims fo Citrix, attacker must be an authenticated user in the same Windows Active Directory domain
CVE-2024-8069 (CVSS score 5.1) - Remote Code Execution with NetworkService Account privileges. Per claims fo Citrix, attacker must be on the same intranet as the session recording server.

The vulnerabilities stem from the Session Recording component that captures user activity, keyboard/mouse input, and desktop video streams. The issue involves a misconfigured MSMQ (Microsoft Message Queuing) instance with insecure permissions that uses BinaryFormatter for deserialization, which Microsoft has deemed inherently unsafe. The vulnerabilities are accessible via HTTP, making them potentially exploitable remotely.

Affected Versions:

Citrix Virtual Apps and Desktops versions from 16.0 up to:
- Version 2407 before hotfix 24.5.200.8
- Version 1912 LTSR before CU9 hotfix 19.12.9100.6
- Version 2203 LTSR before CU5 hotfix 22.03.5100.11
- Version 2402 LTSR before CU1 hotfix 24.02.1200.16

Citrix has released patches for all affected versions. Users are strongly urged to upgrade to the following versions:

Citrix Virtual Apps and Desktops 2407 hotfix 24.5.200.8 or later
Citrix Virtual Apps and Desktops 1912 LTSR CU9 hotfix 19.12.9100.6 or later
Citrix Virtual Apps and Desktops 2203 LTSR CU5 hotfix 22.03.5100.11 or later
Citrix Virtual Apps and Desktops 2402 LTSR CU1 hotfix 24.02.1200.16 or later

Security flaws in Citrix Virtual Apps session recording component reported

Read More
CISA warns of active exploits of old Oracle …
Another Critical Adobe ColdFusion flaw reported in a …
Critical session management vulnerability reported in Apache Roller
Adobe fixes ColdFusion arbitrary file read vulnerability
Active exploitation of WhatsUp Gold vulnerabilities