Summary:
Watchtowr Labs has identified an unpatched vulnerability in Citrix’s remote access solution, specifically affecting “Virtual Apps and Desktops.” This vulnerability poses a significant risk as it allows unauthorized access and potential privilege escalation across all connected sessions. The exploit can be triggered without authentication, raising concerns about the security of remote work environments.
Keypoints:
New vulnerability discovered in Citrix’s remote access solution.
Affects “Virtual Apps and Desktops,” commonly used for remote work.
Privilege escalation vulnerability could compromise the entire server and all sessions.
Session recording feature is vulnerable due to deserialization issues.
Exploit code has been published on GitHub.
Exploit can be triggered without prior authentication.
Requests appear to originate from an IP in Johannesburg, South Africa.
MITRE Techniques
Privilege Escalation (T1068): Exploits a vulnerability to gain elevated access to resources that are normally protected from an application or user.
Exploitation for Client Execution (T1203): Uses a vulnerability in a client application to execute code on the client machine.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
IoC:
[IP Address] 192[.143[.1[.40]]]
[URL] http[://]91[.212[.166[.60]]]/script_xen80-mix.php
Full Research: https://isc.sans.edu/diary/Exploit+attempts+for+unpatched+Citrix+vulnerability/31446/