Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
A new vulnerability compromises Citrix's infrastructure.
WatchTowr has published a proof of concept (PoC) for exploiting an RCE vulnerability in Citrix Virtual Apps and Desktops. The bug allows you to gain system privileges by sending a single HTTP request, which opens up access to Citrix's Virtual Desktop Infrastructure (VDI).
While Citrix has already released patches and encourages users to install them, the company insists that the discovered vulnerability is not an "unauthenticated RCE." Citrix representatives claim that in order to operate, you must be an authorized user with access on behalf of NetworkService.
However, watchTowr disagrees with this assessment, stating that the problem is much more serious: the vulnerability allows an attacker to gain system privileges on the server that manages all applications and user sessions. This allows the attacker to spoof users, including administrators, and discreetly track their activities.
The vulnerability was found in the Session Recording Manager module, which records the video stream of user sessions, as well as records keystrokes and mouse movements for monitoring and diagnostic purposes. Sessions are sent to the server and stored in a database using the Microsoft Message Queuing Service (MSMQ).
The researchers found that the queue initialization process in MSMQ has overly open permissions, allowing anyone to insert messages. A more serious problem is related to the use of the outdated and insecure BinaryFormatter class to deserialize data. Microsoft's documentation explicitly states that BinaryFormatter is "dangerous and not recommended for use."
Exploitation of the vulnerability is possible with a simple HTTP request, although MSMQ is usually accessed via TCP port 1801. Experts were surprised that Citrix included support for MSMQ over HTTP, although this is not required for the functionality of the product.
After the publication of the PoC, Citrix promptly released recommendations and updates to address the vulnerability. The fixes apply to the following versions:
The company assigned two CVE identifiers to the vulnerabilities:
Citrix claims that additional conditions and authentication are required to exploit vulnerabilities, which significantly reduces their danger. However, watchTowr continues to insist on its position, claiming that PoC shows much more serious consequences.
Source
WatchTowr has published a proof of concept (PoC) for exploiting an RCE vulnerability in Citrix Virtual Apps and Desktops. The bug allows you to gain system privileges by sending a single HTTP request, which opens up access to Citrix's Virtual Desktop Infrastructure (VDI).
While Citrix has already released patches and encourages users to install them, the company insists that the discovered vulnerability is not an "unauthenticated RCE." Citrix representatives claim that in order to operate, you must be an authorized user with access on behalf of NetworkService.
However, watchTowr disagrees with this assessment, stating that the problem is much more serious: the vulnerability allows an attacker to gain system privileges on the server that manages all applications and user sessions. This allows the attacker to spoof users, including administrators, and discreetly track their activities.
The vulnerability was found in the Session Recording Manager module, which records the video stream of user sessions, as well as records keystrokes and mouse movements for monitoring and diagnostic purposes. Sessions are sent to the server and stored in a database using the Microsoft Message Queuing Service (MSMQ).
The researchers found that the queue initialization process in MSMQ has overly open permissions, allowing anyone to insert messages. A more serious problem is related to the use of the outdated and insecure BinaryFormatter class to deserialize data. Microsoft's documentation explicitly states that BinaryFormatter is "dangerous and not recommended for use."
Exploitation of the vulnerability is possible with a simple HTTP request, although MSMQ is usually accessed via TCP port 1801. Experts were surprised that Citrix included support for MSMQ over HTTP, although this is not required for the functionality of the product.
After the publication of the PoC, Citrix promptly released recommendations and updates to address the vulnerability. The fixes apply to the following versions:
- Citrix Virtual Apps and Desktops prior to version 2407: Hotfix 24.5.200.8
- Citrix Virtual Apps and Desktops 1912 LTSR to CU9: Hotfix 19.12.9100.6
- Citrix Virtual Apps and Desktops 2203 LTSR up to CU5: Hotfix 22.03.5100.11
- Citrix Virtual Apps and Desktops 2402 LTSR up to CU1: Hotfix 2/24/1200.16
The company assigned two CVE identifiers to the vulnerabilities:
- CVE-2024-8068 (CVSS score: 5.1): NetworkService account privilege escalation vulnerability. Authentication is required on the same Active Directory domain network as the session recording server.
- CVE-2024-8069 (CVSS score: 5.1): Limited RCE vulnerability that requires access to the NetworkService and authentication on the victim's internal network.
Citrix claims that additional conditions and authentication are required to exploit vulnerabilities, which significantly reduces their danger. However, watchTowr continues to insist on its position, claiming that PoC shows much more serious consequences.
Source
