{"id":857,"date":"2024-11-14T04:53:46","date_gmt":"2024-11-14T04:53:46","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=857"},"modified":"2024-11-14T04:53:46","modified_gmt":"2024-11-14T04:53:46","slug":"citrix-admins-advised-to-install-hotfixes-to-block-vulnerabilities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=857","title":{"rendered":"Citrix admins advised to install hotfixes to block vulnerabilities"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs with Citrix Virtual Apps and Desktop in their environments should patch two holes that could give an authenticated hacker the ability to escalate privileges and run remote code.<\/p>\n

This warning comes after the discovery by researchers at watchTowr of the vulnerabilities, who said that what they described as \u201ca carelessly-exposed MSMQ [Microsoft message queuing] instance\u201d can be exploited, via HTTP, to enable unauthenticated remote code execution against the application.<\/p>\n

\u201cThere seems to be disagreement between Citrix and watchTowr on the seriousness of the vulnerability,\u201d commented\u00a0Michelle Abraham, a research director in IDC\u2019s security and trust group, \u201cbut remote code execution is a serious issue.\u201d<\/p>\n

Hotfixes available<\/h2>\n

For its part, Citrix issued a security bulletin Tuesday<\/a> in which it \u201cstrongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon their upgrade schedule permits.\u201d<\/p>\n

Citrix said the two problems are:<\/p>\n

CVE-2024-8068, a privilege escalation to NetworkService account access, with a CVSS base score of 5.1<\/p>\n

CVE-2024=8069, a limited remote code execution with privilege of a NetworkService account access issue, also with a CVSS base score of 5.1.<\/p>\n

Hotfixes for the current release and long term service releases<\/a> are available.<\/p>\n

CISOs should find out whether they are using this application in their IT environments and determine whether the flaw presents a risk, Abraham told CSO Online in an email, particularly if it is being used on business critical assets. Criticality should factor into the prioritization of remediation.<\/p>\n

\u201cEvery IT environment is different,\u201d she said, \u201cso the risks and priorities differ. Having a vulnerability management<\/a> solution that can prioritize and track the remediation workflow is necessary to manage CVEs that may be present in an organization\u2019s IT environment.\u201d<\/p>\n

\u201cThere have been 29,004 CVE records published in 2024 through the first three quarters of the year,\u201d she added, \u201cmore that were published for the whole of 2023.\u201d<\/p>\n

The vulnerabilities are in the Session Recording capability of Citrix Virtual Apps and Desktops, which is aimed at letting IT departments deliver a secure work desktop on any device an employee or approved partner uses.<\/p>\n

Session Recording creates a video of keyboard and mouse movements that administrators or IT support can use for monitoring, compliance, and troubleshooting. Videos are stored in a Citrix server database folder. The app includes Session Recording Storage Manager, which is a Windows service.<\/p>\n

The flaw<\/h2>\n

But researchers at watchTowr discovered a flaw, outlined in a blog on Tuesday. It said that the Storage Manager receives files via Microsoft Message Queuing (MSMQ) and uses a serialization process to convert session recording data messages into a form that can be interpreted by Windows processes.<\/p>\n

The serialization API allows several \u201cterrible\u201d permissions, watchTowr said, including Full Control access to almost any authenticated user. And, the researchers said, Citrix uses .NET\u2019s BinaryFormatter for deserialization.<\/p>\n

\u201cTime has told us that using a BinaryFormatter for deserialization is almost always dangerous,\u201d the report said. \u201cIt exposes a lot of functionality to whoever can provide it with messages, and while it can be used securely, it provides enough \u2018footguns\u2019 that even Microsoft themselves say it shouldn\u2019t be used.\u201d<\/p>\n

The report cites a Microsoft paper issued in July detailing the risks of using BinaryFormatter<\/a>, saying it is not recommended for data processing.<\/p>\n

While MSMQ is usually reached via TCP port 1801, which is not open by default in a Citrix environment, there is a bug in MSMQ \u2014 CVE-2024-21554 \u2014 which supports accessing MSMQ over HTTP. Unfortunately, for some reason HTTP support is enabled when Virtual Apps and Desktop is installed.<\/p>\n

Admins who know to look for this can uncheck this option in the Message Queuing menu list in the app.<\/p>\n

Knowing all this, the watchTowr researchers built a proof of concept exploit they said could be used by a threat actor.<\/p>\n

\u201cThis isn\u2019t really a bug in the BinaryFormatter itself, nor a bug in MSMQ,\u201d said watchTowr, \u201cbut rather the unfortunate consequence of Citrix relying on the documented-to-be-insecure BinaryFormatter to maintain a security boundary. It\u2019s a \u2018bug\u2019 that manifested during the design phase, when Citrix decided which serialization library to use.\u201d<\/p>\n

A \u2018medium\u2019 risk, says Citrix<\/h2>\n

In an email to CSO Online, Citrix said it takes reports of security vulnerabilities seriously.\u00a0Once the company was made aware of this exploit, it worked with watchTowr to validate, reproduce, and mitigate the problem for the protection of customers.<\/p>\n

Citrix rates it a \u201cmedium\u201d security issue for several reasons:<\/p>\n

The exploit is limited to Citrix Session Recording server, which is an optional component of a Citrix Virtual Apps and Desktop Deployment.<\/p>\n

Session Recording Server is typically deployed on a standalone Windows Server.\u00a0<\/p>\n

VDA and other Citrix infrastructure components are not impacted.<\/p>\n

It is security best practice that Session Recording Server is installed on a trusted machine inside the corporate network, and cannot be reached from the internet.\u00a0<\/p>\n

For the vulnerability reported, the attacker exploits Microsoft MSMQ technology to send malicious objects to the Session Recording server.\u00a0 This requires the attacker to be on a trusted machine which is the same domain as the Session Recording server. Citrix recommends that customers enable HTTPS integration with Active Directory as the authentication method for communication with MSMQ.<\/p>\n

If exploits were successfully executed on the Session Recording server, they would run in the less privileged Network Service context, not in the System context.\u00a0\u00a0<\/p>\n

Session Recording server can be independently updated from other Citrix components.<\/p>\n

\u2018Emergency\u2019 or \u2018celebrity\u2019 issue? It\u2019s unclear, says analyst<\/h2>\n

The seriousness and the difficulty to exploit the vulnerability depends on whether it can be exploited in unauthenticated session or not, said Erik Nost, a Forrester Research senior analyst; the researchers and Citrix currently disagree on that.<\/p>\n

\u00a0\u201cThe best thing for security pros to understand in scenarios like this is that there are both emergency vulnerabilities (where everything needs to be dropped to respond to) and celebrity vulnerabilities (which can get a lot of attention for news outlets\/researchers),\u201d he said. \u201cOften times, a vulnerability is an emergency and celebrity, but that\u2019s not always the case. This one seems to be hitting celebrity status, but its not clear yet if it\u2019s an emergency.\u201d<\/p>\n

\u00a0This sheds light on the need for organizations to have a critical vulnerability response plan, he said, so that they are prepared for both emergency and celebrity vulnerabilities. Even when a vulnerability is not an emergency, it is best practice to have strong inventory of systems and applications so teams can determine if they are impacted. For a celebrity vulnerability, communications can be prepped to customers\/internal teams so everyone knows if there is impact, and the scope of the impact. Emergency response warrants these communications as well, but also the remediation efforts.<\/p>\n

This story has been updated with comments from Forrester.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs with Citrix Virtual Apps and Desktop in their environments should patch two holes that could give an authenticated hacker the ability to escalate privileges and run remote code. This warning comes after the discovery by researchers at watchTowr of the vulnerabilities, who said that what they described as \u201ca carelessly-exposed MSMQ [Microsoft message queuing] […]<\/p>\n","protected":false},"author":0,"featured_media":846,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/857"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=857"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/857\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/846"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}