Cybersecurity researchers have disclosed new safety flaws impacting Citrix Digital Apps and Desktop that may very well be exploited to attain unauthenticated distant code execution (RCE)
The problem, per findings from watchTowr, is rooted within the Session Recording element that permits system directors to seize consumer exercise, and document keyboard and mouse enter, together with a video stream of the desktop for audit, compliance, and troubleshooting functions.
Significantly, the vulnerability exploits the “combination of a carelessly-exposed MSMQ instance with misconfigured permissions that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE,” safety researcher Sina Kheirkhah stated.
The vulnerability particulars are listed under –
- CVE-2024-8068 (CVSS rating: 5.1) – Privilege escalation to NetworkService Account entry
- CVE-2024-8069 (CVSS rating: 5.1) – Restricted distant code execution with the privilege of a NetworkService Account entry
Nonetheless, Citrix famous that profitable exploitation requires an attacker to be an authenticated consumer in the identical Home windows Lively Listing area because the session recording server area and on the identical intranet because the session recording server. The defects have been addressed within the following variations –
- Citrix Digital Apps and Desktops earlier than 2407 hotfix 24.5.200.8
- Citrix Digital Apps and Desktops 1912 LTSR earlier than CU9 hotfix 19.12.9100.6
- Citrix Digital Apps and Desktops 2203 LTSR earlier than CU5 hotfix 22.03.5100.11
- Citrix Digital Apps and Desktops 2402 LTSR earlier than CU1 hotfix 24.02.1200.16
It is value noting that Microsoft has urged builders to cease utilizing BinaryFormatter for deserialization, owing to the truth that the strategy will not be secure when used with untrusted enter. An implementation of BinaryFormatter has been eliminated from .NET 9 as of August 2024.
“BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category,” the tech large notes in its documentation. “As a result, the code does not follow modern best practices. BinaryFormatter.Deserialize may be vulnerable to other attack categories, such as information disclosure or remote code execution.”
On the coronary heart of the issue is the Session Recording Storage Supervisor, a Home windows service that manages the recorded session information acquired from every pc that has the function enabled.
Whereas the Storage Supervisor receives the session recordings as message bytes by way of the Microsoft Message Queuing (MSMQ) service, the evaluation discovered {that a} serialization course of is employed to switch the info and that the queue occasion has extreme privileges.
To make issues worse, the info acquired from the queue is deserialized utilizing BinaryFormatter, thereby permitting an attacker to abuse the insecure permissions set through the initialization course of to cross specifically crafted MSMQ messages despatched by way of HTTP over the web.
“We know there is a MSMQ instance with misconfigured permissions, and we know that it uses the infamous BinaryFormatter class to perform deserialization,” Kheirkhah stated, detailing the steps to create an exploit. “The ‘cherry on top’ is that it can be reached not only locally, through the MSMQ TCP port, but also from any other host, via HTTP.”
“This combo allows for a good old unauthenticated RCE,” the researcher added.