New Security Flaws Discovered in Citrix Virtual Apps and Desktop Leading to Remote Code Execution Risks
Cybersecurity researchers have identified critical vulnerabilities in Citrix Virtual Apps and Desktop that expose users to potential remote code execution (RCE) attacks. These flaws, uncovered by the team at watchTowr, revolve around the Session Recording component that enables system administrators to monitor user activity, including recording inputs and screen activity for auditing and troubleshooting purposes.
The vulnerabilities specifically exploit a combination of poorly configured permissions on an MSMQ (Microsoft Message Queuing) instance and the use of the BinaryFormatter for data serialization. This allows unauthorized access to the system via HTTP, enabling an unauthorized RCE from any host. As security expert Sina Kheirkhah explained, the flaws arise from the carelessly exposed MSMQ instance, which can be exploited due to its excessive privileges.
Two vulnerabilities have been assigned CVE identifiers: CVE-2024-8068 and CVE-2024-8069, both carrying a CVSS score of 5.1. These flaws permit privilege escalation to a NetworkService Account and enable limited remote code execution under that account’s privileges. However, Citrix has clarified that successful exploitation requires attackers to be authenticated users operating within the same Windows Active Directory domain as the vulnerable session recording server.
To mitigate the risks, Citrix has released a fix that addresses these vulnerabilities in several versions of its software, including the latest 2407 hotfix and updates for long-term service releases. Microsoft has previously urged developers to discontinue the use of BinaryFormatter due to its unreliability with untrusted input, and as of August 2024, the method will be removed from .NET 9, highlighting its ongoing security risks.
Researchers emphasize that this incident exemplifies the vulnerabilities associated with the Session Recording Storage Manager, a Windows service responsible for handling session recordings. The integration of MSMQ with BinaryFormatter creates a dangerous scenario whereby malicious actors can send crafted messages via HTTP and exploit improperly set permissions, thus facilitating RCE.
While the severity of the vulnerabilities has been debated, Citrix described the risks as authenticated RCE scenarios limited to NetworkService Accounts. However, watchTowr has contested this position, asserting that the potential for exploitation remains significant, characterizing it as a ‘point-click-full-takeover’ scenario for attackers.
As the Shadowserver Foundation reports increased attempts to exploit these vulnerabilities, cybersecurity professionals are urged to update installations promptly. The proof-of-concept exploit has been made publicly available, further raising concerns about potential abuse.
Understanding these vulnerabilities through the lens of the MITRE ATT&CK Matrix highlights the tactics used, including initial access via misconfigured permissions and privilege escalation through exploitation of insecure serialization methods. Business owners must remain vigilant in implementing security updates and reviewing their system configurations to mitigate these risks.
