Security researchers have disclosed critical vulnerabilities in Citrix Virtual Apps and Desktops that could allow remote code execution (RCE) attacks.
Proof-of-concept (PoC) exploitation attempts have already been observed in the wild, highlighting the urgency for organizations to patch affected systems.
The vulnerabilities tracked as CVE-2024-8068 and CVE-2024-8069 impact the Session Recording component of Citrix Virtual Apps and Desktops.
This feature allows administrators to capture user activity, including keyboard input and screen content, for auditing and troubleshooting purposes.
Researchers from watchTowr discovered that a misconfigured Microsoft Message Queuing (MSMQ) instance combined with insecure use of .NET’s BinaryFormatter for deserialization creates an exploitable condition.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
An attacker could leverage these flaws to achieve unauthenticated RCE against Citrix Virtual Apps and Desktops environments.
Affected versions include:
Citrix has released patches to address the vulnerabilities and strongly urges customers to install the updates as soon as possible. The company notes that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server.
However, security experts warn that the potential for unauthenticated RCE should not be discounted. Sina Kheirkhah, the researcher who discovered the flaws, stated: “This combo allows for a good old unauthenticated RCE.”
Adding to the urgency, Shadowserver has observed active wild exploitation attempts. “We started seeing Citrix Virtual Apps and Desktops CVE-2024-8068/CVE-2024-8069 PoC-based attempts at around 16:00 UTC today, shortly after publication.”
The vulnerabilities stem from Citrix’s use of BinaryFormatter, a .NET class that Microsoft has explicitly warned against using due to inherent security risks. Microsoft’s documentation states: “BinaryFormatter is insecure and can’t be made secure. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they’re processing to be trustworthy.”
Organizations utilizing Citrix Virtual Apps and Desktops, especially those with Session Recording enabled, are advised to prioritize patching these vulnerabilities immediately.
In addition to applying the provided hotfixes, security teams should review logs for any signs of exploitation attempts and consider implementing additional network segmentation to limit potential exposure.
As the situation develops, Citrix has stated they are actively monitoring for any new information and will provide updates as necessary. The incident serves as a reminder of the critical importance of prompt patch management and the ongoing challenges posed by legacy components in enterprise software.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
Vulnerability Assessment and Penetration Testing (VAPT) tools are an integral part of any cybersecurity toolkit,…
Microsoft has allowed unprivileged users to update their own User Principal Names (UPNs) in Entra…
IntelBroker, a key figure within the dark web's BreachForums, has announced his resignation as the…
A critical vulnerability in Kubernetes, designated as CVE-2024-9042, has been discovered, enabling attackers to execute…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical…
Researchers from the University of Florida and North Carolina State University conducted an extensive analysis…