HTTP your way into Citrix’s Virtual Apps and Desktops with fresh exploit code

HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code

November 12, 2024 at 11:14AM

Researchers have revealed a proof of concept for a serious vulnerability in Citrix’s Virtual Apps and Desktops, allowing unauthenticated remote code execution through HTTP requests. This flaw lets attackers gain system privileges and impersonate users. Citrix disputes the severity and has issued hotfixes, urging customers to apply them immediately.

### Meeting Takeaways

1. **Vulnerability Discovery**: Researchers from watchTowr reported an unauthenticated remote code execution (RCE) vulnerability in Citrix’s Virtual Apps and Desktops, allowing attackers system privileges with just an HTTP request.

2. **Citrix’s Response**: Citrix has disputed the labeling of the vulnerability as an “unauthenticated RCE” and has advised customers to apply hotfixes. They describe the exploits as requiring authentication within a specific network service account.

3. **Technical Details**:
– The vulnerability is related to the Session Recording Manager feature, which records user sessions, keystrokes, and mouse movements.
– The main issue arises from overly permissive queue initialization and the use of the insecure BinaryFormatter class for data deserialization.

4. **Access to Vulnerability**: The exploit can be executed even over TCP port 1801 via HTTP, leading to concerns about unnecessary exposure of the Microsoft Message Queuing (MSMQ) service.

5. **Hotfix Versions**: Specific hotfixes have been recommended for various affected versions of Citrix Virtual Apps and Desktops, including:
– Hotfix 24.5.200.8 for versions prior to 2407
– Hotfix 19.12.9100.6 for 1912 LTSR prior to CU9
– Hotfix 22.03.5100.11 for 2203 LTSR prior to CU5
– Hotfix 24.02.1200.16 for 2402 LTSR prior to CU1

6. **CVE Identifiers**: Two CVE identifiers related to this vulnerability have been assigned by Citrix:
– **CVE-2024-8068**: Describes a privilege escalation flaw necessitating authentication within the same Active Directory domain.
– **CVE-2024-8069**: Identifies a limited RCE flaw, requiring access to a NetworkService account authenticated within the intranet.

7. **Public Back-and-Forth**: There is disagreement between Citrix and watchTowr regarding the severity of the vulnerability, with watchTowr suggesting that Citrix is downplaying the risk.

8. **Next Steps**: Citrix plans to release a blog outlining their reasoning against watchTowr’s characterization of the vulnerability, while researchers maintain their stance regarding its severity. Immediate application of the recommended hotfixes is advised.

Full Article