“This isn’t actually a bug within the BinaryFormatter itself, nor a bug in MSMQ,” mentioned watchTowr, “however reasonably the unlucky consequence of Citrix counting on the documented-to-be-insecure BinaryFormatter to take care of a security boundary. It’s a ‘bug’ that manifested through the design section, when Citrix determined which serialization library to make use of.”
A ‘medium’ danger, says Citrix
In an e-mail to CSO On-line, Citrix mentioned it takes stories of security vulnerabilities significantly. As soon as the corporate was made conscious of this exploit, it labored with watchTowr to validate, reproduce, and mitigate the issue for the safety of consumers.
Citrix charges it a “medium” security problem for a number of causes:
