New Citrix Zero-Day Vulnerability Allows Remote Code Execution

Summary:
Researchers at WatchTowr have disclosed new vulnerabilities in Citrix Virtual Apps and Desktops, particularly affecting the Session Recording component, which administrators use to monitor and record user sessions. These security flaws could potentially allow unauthenticated remote code execution, presenting a serious threat to affected systems. According to WatchTowr's findings, the vulnerabilities stem from a misconfigured Microsoft Message Queuing (MSMQ) instance and inadequate permissions, alongside the risky use of the BinaryFormatter class for data deserialization. This insecure setup enables remote exploitation over HTTP from any host, allowing attackers to bypass authentication and execute malicious code on vulnerable systems.

The vulnerabilities, CVE-2024-8068 and CVE-2024-8069, each with a CVSS score of 5.1, pose significant risks. CVE-2024-8068 enables privilege escalation to the NetworkService account, while CVE-2024-8069 permits limited RCE with NetworkService privileges. However, Citrix has clarified that exploitation requires an attacker to be an authenticated user within the same Windows Active Directory domain as the session recording server and connected to the same intranet. Citrix has released updates to address these issues, covering several versions, including Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8, 1912 LTSR CU9 hotfix 19.12.9100.6, 2203 LTSR CU5 hotfix 22.03.5100.11, and 2402 LTSR CU1 hotfix 24.02.1200.16.]

The main vulnerability, CVE-2024-8069, involves the Session Recording Storage Manager, a Windows service that manages recorded session files received from various computers. This service uses MSMQ to transfer session data as serialized message bytes. By deserializing these messages with BinaryFormatter—a method known to be insecure with untrusted input—the system becomes vulnerable to specially crafted MSMQ messages, potentially enabling RCE. Microsoft has advised against using BinaryFormatter, deprecating it as of .NET 9 in August 2024 due to security concerns, including RCE and information disclosure risks.


Security Officer Comments:
WatchTowr researcher Sina Kheirkhah highlighted that the MSMQ instance is accessible both locally and remotely via HTTP, significantly expanding the attack surface. The combination of misconfigured MSMQ permissions, deserialization flaws, and network accessibility ultimately allows for unauthenticated RCE.


Suggested Corrections:
Remediation advice is simply 'update to a patched version'. It is difficult to see how this bug could be mitigated otherwise, since the MSMQ interface is such a core part of the way that the application works, and attempting to restrict access to it would likely result in subtle (or not-so-subtle) breakage of the environment.


Link(s):
https://labs.watchtowr.com/visionar...citrix-virtual-apps-and-desktops-cve-unknown/

https://thehackernews.com/2024/11/new-flaws-in-citrix-virtual-apps-enable.html

https://support.citrix.com/s/articl...or-cve20248068-and-cve20248069?language=en_US