Cybersecurity researchers have disclosed new security flaws impacting Citrix Digital Apps and Desktop that may very well be exploited to realize unauthenticated distant code execution (RCE)
The difficulty, per findings from watchTowr, is rooted within the Session Recording element that enables system directors to seize consumer exercise, and file keyboard and mouse enter, together with a video stream of the desktop for audit, compliance, and troubleshooting functions.
Significantly, the vulnerability exploits the “mixture of a carelessly-exposed MSMQ occasion with misconfigured permissions that leverages BinaryFormatter could be reached from any host by way of HTTP to carry out unauthenticated RCE,” security researcher Sina Kheirkhah stated.
The vulnerability particulars are listed beneath –
- CVE-2024-8068 (CVSS rating: 5.1) – Privilege escalation to NetworkService Account entry
- CVE-2024-8069 (CVSS rating: 5.1) – Restricted distant code execution with the privilege of a NetworkService Account entry
Nonetheless, Citrix famous that profitable exploitation requires an attacker to be an authenticated consumer in the identical Home windows Lively Listing area because the session recording server area and on the identical intranet because the session recording server. The defects have been addressed within the following variations –
- Citrix Digital Apps and Desktops earlier than 2407 hotfix 24.5.200.8
- Citrix Digital Apps and Desktops 1912 LTSR earlier than CU9 hotfix 19.12.9100.6
- Citrix Digital Apps and Desktops 2203 LTSR earlier than CU5 hotfix 22.03.5100.11
- Citrix Digital Apps and Desktops 2402 LTSR earlier than CU1 hotfix 24.02.1200.16
It is value noting that Microsoft has urged builders to cease utilizing BinaryFormatter for deserialization, owing to the truth that the strategy shouldn’t be protected when used with untrusted enter. An implementation of BinaryFormatter has been faraway from .NET 9 as of August 2024.
“BinaryFormatter was applied earlier than deserialization vulnerabilities have been a well-understood menace class,” the tech big notes in its documentation. “In consequence, the code doesn’t observe trendy greatest practices. BinaryFormatter.Deserialize could also be susceptible to different assault classes, resembling info disclosure or distant code execution.”
On the coronary heart of the issue is the Session Recording Storage Supervisor, a Home windows service that manages the recorded session information obtained from every laptop that has the characteristic enabled.
Whereas the Storage Supervisor receives the session recordings as message bytes by way of the Microsoft Message Queuing (MSMQ) service, the evaluation discovered {that a} serialization course of is employed to switch the information and that the queue occasion has extreme privileges.
To make issues worse, the information obtained from the queue is deserialized utilizing BinaryFormatter, thereby permitting an attacker to abuse the insecure permissions set in the course of the initialization course of to move specifically crafted MSMQ messages despatched by way of HTTP over the web.
“We all know there’s a MSMQ occasion with misconfigured permissions, and we all know that it makes use of the notorious BinaryFormatter class to carry out deserialization,” Kheirkhah stated, detailing the steps to create an exploit. “The ‘cherry on prime’ is that it may be reached not solely domestically, by means of the MSMQ TCP port, but additionally from another host, by way of HTTP.”
“This combo permits for a very good outdated unauthenticated RCE,” the researcher added.
