Citrix has released security updates to address two vulnerabilities in its Virtual Apps and Desktops Session Recording feature that could allow attackers to achieve remote code execution and privilege escalation.
The flaws, tracked as CVE-2024-8068 and CVE-2024-8069, were discovered and reported by security researcher Sina Kheirkhah from Watchtowr.
The more severe vulnerability (CVE-2024-8069) stems from an insecure implementation involving Microsoft Message Queuing (MSMQ) and .NET's BinaryFormatter.
aUtHenTiCaTed RCE Citrix? pic.twitter.com/jKjRVhpLMf
— watchTowr (@watchtowrcyber) November 12, 2024
The flaw could allow an authenticated user on the same intranet as the session recording server to achieve limited remote code execution with NetworkService Account privileges. The issue arose from Citrix's use of the BinaryFormatter for deserialization - a component that Microsoft itself has documented as inherently dangerous and recommended against using.
The second vulnerability (CVE-2024-8068) enables privilege escalation to NetworkService Account access. This flaw requires the attacker to be an authenticated user within the same Windows Active Directory domain as the session recording server.
Both vulnerabilities have been assigned a CVSS v4.0 Base Score of 5.1, indicating moderate severity. The flaws affect multiple versions of Citrix Virtual Apps and Desktops, including:
- Versions before 2407 hotfix 24.5.200.8
- 1912 LTSR versions before CU9 hotfix 19.12.9100.6
- 2203 LTSR versions before CU5 hotfix 22.03.5100.11
- 2402 LTSR versions before CU1 hotfix 24.02.1200.16
The Session Recording feature in Citrix Virtual Apps and Desktops is designed to capture and record user activity, including keyboard input and screen content, primarily for compliance and troubleshooting purposes. The feature streams desktop sessions from a centralized server to end users.
Citrix has released patches for all affected versions and strongly recommends that customers install the relevant updates as soon as possible. The company has published detailed information about the vulnerabilities and available fixes in its security bulletin (CTX691941).
The discovery timeline indicates that the vulnerabilities were initially reported to Citrix on July 14, 2024. After some back-and-forth communication and proof-of-concept demonstration, Citrix worked to develop and release patches ahead of the coordinated disclosure date of November 12, 2024.
Organizations using Citrix Virtual Apps and Desktops with Session Recording enabled should prioritize applying these security updates to protect against potential exploitation. Customers can download the appropriate hotfixes from the Citrix Support website, with specific versions available for each affected release stream.