Security researchers have disclosed critical vulnerabilities in Citrix Virtual Apps and Desktops that could allow remote code execution (RCE) attacks.
Proof-of-concept (PoC) exploitation attempts have already been observed in the wild, highlighting the urgency for organizations to patch affected systems.
The vulnerabilities tracked as CVE-2024-8068 and CVE-2024-8069 impact the Session Recording component of Citrix Virtual Apps and Desktops.
This feature allows administrators to capture user activity, including keyboard input and screen content, for auditing and troubleshooting purposes.
Researchers from watchTowr discovered that a misconfigured Microsoft Message Queuing (MSMQ) instance combined with insecure use of .NET’s BinaryFormatter for deserialization creates an exploitable condition.
Attend a Free Webinar on How to Maximize Cybersecurity Program ROI
An attacker could leverage these flaws to achieve unauthenticated RCE against Citrix Virtual Apps and Desktops environments.
Affected versions include:
- Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8
- Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6
- Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11
- Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16
Citrix has released patches to address the vulnerabilities and strongly urges customers to install the updates as soon as possible. The company notes that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server.
However, security experts warn that the potential for unauthenticated RCE should not be discounted. Sina Kheirkhah, the researcher who discovered the flaws, stated: “This combo allows for a good old unauthenticated RCE.”
Adding to the urgency, Shadowserver has observed active wild exploitation attempts. “We started seeing Citrix Virtual Apps and Desktops CVE-2024-8068/CVE-2024-8069 PoC-based attempts at around 16:00 UTC today, shortly after publication.”
The vulnerabilities stem from Citrix’s use of BinaryFormatter, a .NET class that Microsoft has explicitly warned against using due to inherent security risks. Microsoft’s documentation states: “BinaryFormatter is insecure and can’t be made secure. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they’re processing to be trustworthy.”
Organizations utilizing Citrix Virtual Apps and Desktops, especially those with Session Recording enabled, are advised to prioritize patching these vulnerabilities immediately.
In addition to applying the provided hotfixes, security teams should review logs for any signs of exploitation attempts and consider implementing additional network segmentation to limit potential exposure.
As the situation develops, Citrix has stated they are actively monitoring for any new information and will provide updates as necessary. The incident serves as a reminder of the critical importance of prompt patch management and the ongoing challenges posed by legacy components in enterprise software.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!