### #CitrixVulnerabilities #CyberSecurity #RemoteAccessExploitation
Summary: Two critical vulnerabilities in Citrix’s “Virtual Apps and Desktops” solution, CVE-2024-8068 and CVE-2024-8069, are being actively exploited, allowing attackers to execute arbitrary code. The vulnerabilities stem from misconfigurations and insecure coding practices within the Citrix software stack.
Threat Actor: Unknown | unknown
Victim: Citrix Systems | Citrix Systems
Key Point :
- Two vulnerabilities, CVE-2024-8068 and CVE-2024-8069, are actively exploited in Citrix’s remote access solution.
- Exploitation allows attackers to execute arbitrary code with NetworkService account privileges, compromising server control.
- Citrix’s Session Recording Manager also has a deserialization vulnerability, providing another attack vector.
- Proof-of-concept exploit code is publicly available on GitHub, increasing the risk of widespread attacks.
- Citrix has issued a security bulletin urging immediate patching of affected installations.
Two vulnerabilities in Citrix’s “Virtual Apps and Desktops” remote access solution, CVE-2024-8068 and CVE-2024-8069, are actively being exploited in the wild, according to a report from Johannes B. Ullrich, Ph.D., Dean of Research at SANS.edu. These vulnerabilities arise from a confluence of factors, including an exposed and misconfigured Microsoft Message Queuing (MSMQ) instance coupled with the utilization of the insecure BinaryFormatter class within the Citrix software stack.
The exposed MSMQ service, accessible via HTTP, allows unauthorized remote attackers to interact with the service. Exploitation of this vulnerability, in conjunction with the inherent insecurity of the BinaryFormatter class, enables attackers to execute arbitrary code with the privileges of the NetworkService account. This effectively grants attackers significant control over the affected Citrix server and all associated virtual desktop sessions.
Citrix’s Session Recording Manager, a component designed to facilitate administrative review of user sessions, also has a deserialization vulnerability. This vulnerability provides an additional attack vector for malicious actors to compromise the system. Proof-of-concept (PoC) exploit code for this vulnerability has been publicly released on GitHub.
Evidence suggests that these vulnerabilities are actively being exploited. Analysis conducted by Dr. Johannes B. Ullrich, Dean of Research at SANS Institute, indicates that attackers are leveraging these flaws to execute malicious payloads delivered via a command-and-control server potentially located in Johannesburg, South Africa. The Shadowserver Foundation confirmed that exploitation attempts began on November 13th.
We started seeing Citrix Virtual Apps and Desktops CVE-2024-8068/CVE-2024-8069 PoC based attempts at around 16:00 UTC today, shortly after publication.
While there is discussion on whether these are remotely exploitable without auth, we urge you to update your installations NOW pic.twitter.com/LdOEmfGXUX
— The Shadowserver Foundation (@Shadowserver) November 12, 2024
Citrix has released a security bulletin acknowledging these vulnerabilities and urging customers to apply the latest patches for Session Recording Manager immediately.