Citrix Virtual Apps

Cybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE)

The issue, per findings from watchTowr, is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the desktop for audit, compliance, and troubleshooting purposes.

Particularly, the vulnerability exploits the "combination of a carelessly-exposed MSMQ instance with misconfigured permissions that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE," security researcher Sina Kheirkhah said.

Cybersecurity

The vulnerability details are listed below -

  • CVE-2024-8068 (CVSS score: 5.1) - Privilege escalation to NetworkService Account access
  • CVE-2024-8069 (CVSS score: 5.1) - Limited remote code execution with the privilege of a NetworkService Account access

However, Citrix noted that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server domain and on the same intranet as the session recording server. The defects have been addressed in the following versions -

  • Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8
  • Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6
  • Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11
  • Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16

It's worth noting that Microsoft has urged developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter has been removed from .NET 9 as of August 2024.

"BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category," the tech giant notes in its documentation. "As a result, the code does not follow modern best practices. BinaryFormatter.Deserialize may be vulnerable to other attack categories, such as information disclosure or remote code execution."

At the heart of the problem is the Session Recording Storage Manager, a Windows service that manages the recorded session files received from each computer that has the feature enabled.

Cybersecurity

While the Storage Manager receives the session recordings as message bytes via the Microsoft Message Queuing (MSMQ) service, the analysis found that a serialization process is employed to transfer the data and that the queue instance has excessive privileges.

To make matters worse, the data received from the queue is deserialized using BinaryFormatter, thereby allowing an attacker to abuse the insecure permissions set during the initialization process to pass specially crafted MSMQ messages sent via HTTP over the internet.

"We know there is a MSMQ instance with misconfigured permissions, and we know that it uses the infamous BinaryFormatter class to perform deserialization," Kheirkhah said, detailing the steps to create an exploit. "The 'cherry on top' is that it can be reached not only locally, through the MSMQ TCP port, but also from any other host, via HTTP."

"This combo allows for a good old unauthenticated RCE," the researcher added.

Update

Citrix told The Hacker News that based on the analysis by the security team, this is not an unauthenticated RCE, and that it is an authenticated RCE that can be carried out only as a NetworkService Account. When reached for comment, watchTowr said "Citrix is downplaying the severity of this vulnerability as a medium priority when it's really point-click-full-takeover."

The attack surface management company has also made available a proof-of-concept (PoC) exploit for the flaw. The Shadowserver Foundation has since revealed that it's already seeing potential exploitation attempts targeting the two flaws.

"While there is discussion on whether these are remotely exploitable without auth, we urge you to update your installations NOW," it said in a post shared on X.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.