Cybersecurity researchers have disclosed new safety flaws impacting Citrix Digital Apps and Desktop that could possibly be exploited to realize unauthenticated distant code execution (RCE)
The problem, per findings from watchTowr, is rooted within the Session Recording part that enables system directors to seize consumer exercise, and report keyboard and mouse enter, together with a video stream of the desktop for audit, compliance, and troubleshooting functions.
Significantly, the vulnerability exploits the “mixture of a carelessly-exposed MSMQ occasion with misconfigured permissions that leverages BinaryFormatter could be reached from any host by way of HTTP to carry out unauthenticated RCE,” safety researcher Sina Kheirkhah mentioned.
The vulnerability particulars are listed beneath –
- CVE-2024-8068 (CVSS rating: 5.1) – Privilege escalation to NetworkService Account entry
- CVE-2024-8069 (CVSS rating: 5.1) – Restricted distant code execution with the privilege of a NetworkService Account entry
Nonetheless, Citrix famous that profitable exploitation requires an attacker to be an authenticated consumer in the identical Home windows Energetic Listing area because the session recording server area and on the identical intranet because the session recording server. The defects have been addressed within the following variations –
- Citrix Digital Apps and Desktops earlier than 2407 hotfix 24.5.200.8
- Citrix Digital Apps and Desktops 1912 LTSR earlier than CU9 hotfix 19.12.9100.6
- Citrix Digital Apps and Desktops 2203 LTSR earlier than CU5 hotfix 22.03.5100.11
- Citrix Digital Apps and Desktops 2402 LTSR earlier than CU1 hotfix 24.02.1200.16
It is price noting that Microsoft has urged builders to cease utilizing BinaryFormatter for deserialization, owing to the truth that the strategy just isn’t protected when used with untrusted enter. An implementation of BinaryFormatter has been eliminated from .NET 9 as of August 2024.
“BinaryFormatter was carried out earlier than deserialization vulnerabilities had been a well-understood menace class,” the tech large notes in its documentation. “Consequently, the code doesn’t comply with trendy finest practices. BinaryFormatter.Deserialize could also be susceptible to different assault classes, equivalent to data disclosure or distant code execution.”
On the coronary heart of the issue is the Session Recording Storage Supervisor, a Home windows service that manages the recorded session recordsdata obtained from every pc that has the characteristic enabled.
Whereas the Storage Supervisor receives the session recordings as message bytes by way of the Microsoft Message Queuing (MSMQ) service, the evaluation discovered {that a} serialization course of is employed to switch the info and that the queue occasion has extreme privileges.
To make issues worse, the info obtained from the queue is deserialized utilizing BinaryFormatter, thereby permitting an attacker to abuse the insecure permissions set through the initialization course of to go specifically crafted MSMQ messages despatched by way of HTTP over the web.
“We all know there’s a MSMQ occasion with misconfigured permissions, and we all know that it makes use of the notorious BinaryFormatter class to carry out deserialization,” Kheirkhah mentioned, detailing the steps to create an exploit. “The ‘cherry on prime’ is that it may be reached not solely regionally, by way of the MSMQ TCP port, but additionally from every other host, by way of HTTP.”
“This combo permits for an excellent previous unauthenticated RCE,” the researcher added.
