Cybersecurity researchers have disclosed new safety flaws impacting Citrix Digital Apps and Desktop that might be exploited to realize unauthenticated distant code execution (RCE)
The problem, per findings from watchTowr, is rooted within the Session Recording part that permits system directors to seize consumer exercise, and file keyboard and mouse enter, together with a video stream of the desktop for audit, compliance, and troubleshooting functions.
Significantly, the vulnerability exploits the “mixture of a carelessly-exposed MSMQ occasion with misconfigured permissions that leverages BinaryFormatter could be reached from any host by way of HTTP to carry out unauthenticated RCE,” safety researcher Sina Kheirkhah stated.
The vulnerability particulars are listed under –
- CVE-2024-8068 (CVSS rating: 5.1) – Privilege escalation to NetworkService Account entry
- CVE-2024-8069 (CVSS rating: 5.1) – Restricted distant code execution with the privilege of a NetworkService Account entry
Nonetheless, Citrix famous that profitable exploitation requires an attacker to be an authenticated consumer in the identical Home windows Lively Listing area because the session recording server area and on the identical intranet because the session recording server. The defects have been addressed within the following variations –
- Citrix Digital Apps and Desktops earlier than 2407 hotfix 24.5.200.8
- Citrix Digital Apps and Desktops 1912 LTSR earlier than CU9 hotfix 19.12.9100.6
- Citrix Digital Apps and Desktops 2203 LTSR earlier than CU5 hotfix 22.03.5100.11
- Citrix Digital Apps and Desktops 2402 LTSR earlier than CU1 hotfix 24.02.1200.16
It is price noting that Microsoft has urged builders to cease utilizing BinaryFormatter for deserialization, owing to the truth that the tactic is just not protected when used with untrusted enter. An implementation of BinaryFormatter has been eliminated from .NET 9 as of August 2024.
“BinaryFormatter was applied earlier than deserialization vulnerabilities have been a well-understood menace class,” the tech large notes in its documentation. “Consequently, the code doesn’t observe fashionable finest practices. BinaryFormatter.Deserialize could also be weak to different assault classes, equivalent to info disclosure or distant code execution.”
On the coronary heart of the issue is the Session Recording Storage Supervisor, a Home windows service that manages the recorded session information obtained from every pc that has the function enabled.
Whereas the Storage Supervisor receives the session recordings as message bytes by way of the Microsoft Message Queuing (MSMQ) service, the evaluation discovered {that a} serialization course of is employed to switch the information and that the queue occasion has extreme privileges.
To make issues worse, the information obtained from the queue is deserialized utilizing BinaryFormatter, thereby permitting an attacker to abuse the insecure permissions set in the course of the initialization course of to move specifically crafted MSMQ messages despatched by way of HTTP over the web.
“We all know there’s a MSMQ occasion with misconfigured permissions, and we all know that it makes use of the notorious BinaryFormatter class to carry out deserialization,” Kheirkhah stated, detailing the steps to create an exploit. “The ‘cherry on prime’ is that it may be reached not solely domestically, via the MSMQ TCP port, but in addition from another host, by way of HTTP.”
“This combo permits for a superb outdated unauthenticated RCE,” the researcher added.
