New Bug Allows RCE on Citrix Virtual Apps and Desktop

Citrix has released fixes for two vulnerabilities in the Session Recording feature of its Virtual Apps and Desktop products that can lead to remote code execution in some cases. The flaws affect the current version as well as many long term service releases.

CVEs: CVE-2024-8068 and CVE-2024-8069

Why It Matters: Citrix’s Virtual Apps and Desktop offering is a powerful product that is designed to enable end users to run apps from a remote server rather than from their local machines. Its remote access features are convenient for users but also can be a boon for attackers who are able to gain access to a machine running the system. Citrix products are frequent targets for many groups of attackers, and just yesterday CISA and many other agencies released an advisory about the 15 most commonly exploited vulnerabilities in 2023, which included two Citrix vulnerabilities. 

Key Details: 

• CVE-2024-8068 is a privilege escalation flaw that can enable an attacker to gain NetworkService Account privileges if he is an authenticated user in the same Windows Active Directory domain as the session recording server domain 

• CVE-2024-8069 is remote code execution bug that the attacker can then use to run code if he is an authenticated user on the same intranet as the session recording server 

• Affected versions include Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8 and Long Term Service Releases 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, and 402 LTSR before CU1 hotfix 24.02.1200.16

• Citrix released updates for these flaws on Nov. 12

The Session Recording feature “captures user activity, recording keyboard and mouse input, along with the video stream of the desktop’s reaction. It’s something akin to recording of a virtual machine session (or, your APT friend spamming their Cobalt Strike beacon with the ‘screenshot’ command),” the advisory from Sina Kheirkhah of Watchtowr Labs, who discovered the bugs, says. 

“We know there is a MSMQ instance with misconfigured permissions, and we know that it uses the infamous BinaryFormatter class to perform deserialization. The ‘cherry on top’ is that it can be reached not only locally, through the MSMQ TCP port, but also from any other host, via HTTP. This combo allows for a good old unauthenticated RCE. Since we're dealing with a deserialization issue, a bug class that is known for being relatively stable, we can expect a high degree of confidence that our exploit (once crafted) will work reliably - there's no tricky heap manipulation or other entropy creeping in.”

As mentioned above, Citrix has released fixes for this set of bugs, and enterprises running affected versions should update quickly.