A recently discovered vulnerability in Citrix Virtual Apps and Desktops is being actively exploited in the wild. The flaw, which allows for unauthenticated remote code execution (RCE), poses a significant threat to organizations using the popular remote access solution.
Last week, Watchtowr Labs disclosed details of the vulnerability affecting Citrix’s Session Recording Manager component. This feature, designed to capture user activity for auditing and troubleshooting purposes, contains a critical flaw in its implementation.
The vulnerability stems from a misconfigured Microsoft Message Queuing (MSMQ) service instance combined with the insecure BinaryFormatter class in .NET. This combination allows attackers to reach the vulnerable component via HTTP and potentially execute arbitrary code without authentication.
Watchtowr researchers emphasized the severity of the issue, stating, “This is a privesc bug yielding SYSTEM privileges for any VDI user, which is actually a lot worse than it might initially sound since that’s SYSTEM privileges on the server that hosts all the applications and access is ‘by design’”.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar
The vulnerability is particularly concerning because Citrix Virtual Apps and Desktops are widely used for remote work and in call center environments to isolate individual workstations. A successful exploit could compromise not just a single desktop but the entire server and all connected sessions.
Active Exploitation of Vulnerability
Johannes Ullrich of SANS observed active exploitation attempts in the wild. One honeypot detected a malicious POST request targeting the vulnerable MSMQ endpoint. The exploit attempt included a command to download and execute a script from an external server.
Shadowserver earlier has observed active wild exploitation attempts. “We started seeing Citrix Virtual Apps and Desktops CVE-2024-8068/CVE-2024-8069 PoC-based attempts at around 16:00 UTC today, shortly after publication.”
While Citrix has acknowledged the vulnerability, there is currently no patch available. The company has issued hotfixes for affected versions and urged customers to install them immediately.
Organizations using Citrix Virtual Apps and Desktops are strongly advised to take immediate action to mitigate the risk:
- Apply the latest hotfixes provided by Citrix.
- Monitor systems for unusual activity or unauthorized access attempts.
- Implement network segmentation to limit potential lateral movement in case of compromise.
- Review and secure MSMQ configurations and permissions.
Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox