web analytics

Citrix admins advised to install hotfixes to block vulnerabilities – Source: www.csoonline.com

Rate this post

Source: www.csoonline.com – Author:

News

13 Nov 20246 mins

Threat and Vulnerability ManagementVulnerabilities

The holes could allow an authenticated hacker to use HTTP to get into Citrix Virtual Apps and Desktops.

CISOs with Citrix Virtual Apps and Desktop in their environments should patch two holes that could give an authenticated hacker the ability to escalate privileges and run remote code.

This warning comes after the discovery by researchers at watchTowr of the vulnerabilities, who said that what they described as “a carelessly-exposed MSMQ [Microsoft message queuing] instance” can be exploited, via HTTP, to enable unauthenticated remote code execution against the application.

“There seems to be disagreement between Citrix and watchTowr on the seriousness of the vulnerability,” commented Michelle Abraham, a research director in IDC’s security and trust group, “but remote code execution is a serious issue.”

Hotfixes available

For its part, Citrix issued a security bulletin Tuesday in which it “strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon their upgrade schedule permits.”

Citrix said the two problems are:

  • CVE-2024-8068, a privilege escalation to NetworkService account access, with a CVSS base score of 5.1
  • CVE-2024=8069, a limited remote code execution with privilege of a NetworkService account access issue, also with a CVSS base score of 5.1.

Hotfixes for the current release and long term service releases are available.

CISOs should find out whether they are using this application in their IT environments and determine whether the flaw presents a risk, Abraham told CSO Online in an email, particularly if it is being used on business critical assets. Criticality should factor into the prioritization of remediation.

“Every IT environment is different,” she said, “so the risks and priorities differ. Having a vulnerability management solution that can prioritize and track the remediation workflow is necessary to manage CVEs that may be present in an organization’s IT environment.”

“There have been 29,004 CVE records published in 2024 through the first three quarters of the year,” she added, “more that were published for the whole of 2023.”

The vulnerabilities are in the Session Recording capability of Citrix Virtual Apps and Desktops, which is aimed at letting IT departments deliver a secure work desktop on any device an employee or approved partner uses.

Session Recording creates a video of keyboard and mouse movements that administrators or IT support can use for monitoring, compliance, and troubleshooting. Videos are stored in a Citrix server database folder. The app includes Session Recording Storage Manager, which is a Windows service.

The flaw

But researchers at watchTowr discovered a flaw, outlined in a blog on Tuesday. It said that the Storage Manager receives files via Microsoft Message Queuing (MSMQ) and uses a serialization process to convert session recording data messages into a form that can be interpreted by Windows processes.

The serialization API allows several “terrible” permissions, watchTowr said, including Full Control access to almost any authenticated user. And, the researchers said, Citrix uses .NET’s BinaryFormatter for deserialization.

“Time has told us that using a BinaryFormatter for deserialization is almost always dangerous,” the report said. “It exposes a lot of functionality to whoever can provide it with messages, and while it can be used securely, it provides enough ‘footguns’ that even Microsoft themselves say it shouldn’t be used.”

The report cites a Microsoft paper issued in July detailing the risks of using BinaryFormatter, saying it is not recommended for data processing.

While MSMQ is usually reached via TCP port 1801, which is not open by default in a Citrix environment, there is a bug in MSMQ — CVE-2024-21554 — which supports accessing MSMQ over HTTP. Unfortunately, for some reason HTTP support is enabled when Virtual Apps and Desktop is installed.

Admins who know to look for this can uncheck this option in the Message Queuing menu list in the app.

Knowing all this, the watchTowr researchers built a proof of concept exploit they said could be used by a threat actor.

“This isn’t really a bug in the BinaryFormatter itself, nor a bug in MSMQ,” said watchTowr, “but rather the unfortunate consequence of Citrix relying on the documented-to-be-insecure BinaryFormatter to maintain a security boundary. It’s a ‘bug’ that manifested during the design phase, when Citrix decided which serialization library to use.”

A ‘medium’ risk, says Citrix

In an email to CSO Online, Citrix said it takes reports of security vulnerabilities seriously. Once the company was made aware of this exploit, it worked with watchTowr to validate, reproduce, and mitigate the problem for the protection of customers.

Citrix rates it a “medium” security issue for several reasons:

  • The exploit is limited to Citrix Session Recording server, which is an optional component of a Citrix Virtual Apps and Desktop Deployment.
  • Session Recording Server is typically deployed on a standalone Windows Server. 
  • VDA and other Citrix infrastructure components are not impacted.
  • It is security best practice that Session Recording Server is installed on a trusted machine inside the corporate network, and cannot be reached from the internet. 
  • For the vulnerability reported, the attacker exploits Microsoft MSMQ technology to send malicious objects to the Session Recording server.  This requires the attacker to be on a trusted machine which is the same domain as the Session Recording server. Citrix recommends that customers enable HTTPS integration with Active Directory as the authentication method for communication with MSMQ.
  • If exploits were successfully executed on the Session Recording server, they would run in the less privileged Network Service context, not in the System context.  
  • Session Recording server can be independently updated from other Citrix components.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3604865/citrix-admins-advised-to-install-hotfixes-to-block-vulnerabilities.html

Category & Tags: Threat and Vulnerability Management, Vulnerabilities – Threat and Vulnerability Management, Vulnerabilities

Views: 4

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post