Cybersecurity researchers have disclosed new safety flaws impacting Citrix Digital Apps and Desktop that could possibly be exploited to attain unauthenticated distant code execution (RCE)
The difficulty, per findings from watchTowr, is rooted within the Session Recording part that enables system directors to seize consumer exercise, and report keyboard and mouse enter, together with a video stream of the desktop for audit, compliance, and troubleshooting functions.
Notably, the vulnerability exploits the “mixture of a carelessly-exposed MSMQ occasion with misconfigured permissions that leverages BinaryFormatter may be reached from any host through HTTP to carry out unauthenticated RCE,” safety researcher Sina Kheirkhah stated.
The vulnerability particulars are listed beneath –
- CVE-2024-8068 (CVSS rating: 5.1) – Privilege escalation to NetworkService Account entry
- CVE-2024-8069 (CVSS rating: 5.1) – Restricted distant code execution with the privilege of a NetworkService Account entry
Nevertheless, Citrix famous that profitable exploitation requires an attacker to be an authenticated consumer in the identical Home windows Lively Listing area because the session recording server area and on the identical intranet because the session recording server. The defects have been addressed within the following variations –
- Citrix Digital Apps and Desktops earlier than 2407 hotfix 24.5.200.8
- Citrix Digital Apps and Desktops 1912 LTSR earlier than CU9 hotfix 19.12.9100.6
- Citrix Digital Apps and Desktops 2203 LTSR earlier than CU5 hotfix 22.03.5100.11
- Citrix Digital Apps and Desktops 2402 LTSR earlier than CU1 hotfix 24.02.1200.16
It is value noting that Microsoft has urged builders to cease utilizing BinaryFormatter for deserialization, owing to the truth that the tactic shouldn’t be protected when used with untrusted enter. An implementation of BinaryFormatter has been eliminated from .NET 9 as of August 2024.
“BinaryFormatter was applied earlier than deserialization vulnerabilities had been a well-understood menace class,” the tech big notes in its documentation. “Consequently, the code doesn’t comply with fashionable finest practices. BinaryFormatter.Deserialize could also be weak to different assault classes, akin to info disclosure or distant code execution.”
On the coronary heart of the issue is the Session Recording Storage Supervisor, a Home windows service that manages the recorded session information obtained from every pc that has the characteristic enabled.
Whereas the Storage Supervisor receives the session recordings as message bytes through the Microsoft Message Queuing (MSMQ) service, the evaluation discovered {that a} serialization course of is employed to switch the info and that the queue occasion has extreme privileges.
To make issues worse, the info obtained from the queue is deserialized utilizing BinaryFormatter, thereby permitting an attacker to abuse the insecure permissions set in the course of the initialization course of to cross specifically crafted MSMQ messages despatched through HTTP over the web.
“We all know there’s a MSMQ occasion with misconfigured permissions, and we all know that it makes use of the notorious BinaryFormatter class to carry out deserialization,” Kheirkhah stated, detailing the steps to create an exploit. “The ‘cherry on prime’ is that it may be reached not solely regionally, via the MSMQ TCP port, but additionally from another host, through HTTP.”
“This combo permits for an excellent outdated unauthenticated RCE,” the researcher added.