HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code

Researchers are publicizing a proof of concept (PoC) exploit for what they're calling an unauthenticated remote code execution (RCE) vulnerability in Citrix's Virtual Apps and Desktops.

The exploit, discovered by watchTowr, can be carried out using only an HTTP request, handing an attacker system privileges on the vendor's virtual desktop infrastructure (VDI) product.

Citrix has urged customers to install hot fixes (see below) and denies the vuln can be described as an "unauthenticated RCE."

Sina Kheirkhah, vulnerability researcher at watchTowr, however, states: "This one is a privesc bug yielding system privileges for any VDI user, which is actually a lot worse than it might initially sound since that's system privileges on the server that hosts all the applications and access is 'by design' – allowing an attacker to impersonate any user, including administrators, and monitor behavior, connectivity."

Kheirkhah added: "Since everything is so seamless and portable, it's an easy jump from there to impersonating users or 'shadowing' them, observing their every action. The centralized administration system can easily become a panopticon."

The vulnerability lies in Virtual Apps and Desktops' Session Recording Manager feature, which records a video stream of any given user's session, their keystrokes, and mouse movements. Ideal for monitoring, troubleshooting, compliance, etc. 

Sessions are sent to the Session Recording Server, as watchTowr referred to it, and then stored in a database. According to Citrix's documentation, the files are sent as message bytes via the Microsoft Message Queuing (MSMQ) service.

Kheirkhah explained that MSMQ essentially allows two processes to communicate via a queue, but that also means the data must be serialized so the transferred data can be read by the other side.

Digging into the serialization process, watchTowr found a number of issues. The first, less severe one was that the queue initialization process was littered with overly open permissions, allowing anyone to insert messages into the queue.

The second, worse issue was the finding that BinaryFormatter, a .NET class, is used for deserialization. The problem here is that the class is considered obsolete and irreparably insecure. Its creator, Microsoft, even classifies it as "dangerous."

"The BinaryFormatter type is dangerous and is not recommended for data processing," reads Microsoft's documentation. 

"Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure."

Exploiting the vulnerability can be achieved using an HTTP request, despite MSMQ being reached via TCP port 1801. Kheirkhah noted his surprise that Citrix enabled MSMQ over HTTP, which seems unnecessary given that none of the product's functionality uses it and it is typically disabled by default.

"Perhaps some developer accidentally enabled it, committed the code, and forgot about it," he said. "We'll leave the root-cause-analysis to Citrix themselves."

Kheirkhah's blog details the makeup of the HTTP packet required to exploit the flaw and the research in greater depth. As ever, though, when PoC code is released, it's always a good idea to apply the relevant patches as soon as possible.

Speaking of, Citrix published a security advisory today after watchTowr went live with its blog. It addressed the exploit with a number of hotfixes for affected versions and urged customers to install them.

Citrix Virtual Apps and Desktops before 2407 (current release): Hotfix 24.5.200.8

Citrix Virtual Apps and Desktops 1912 Long-term Service Release (LTSR) before CU9: Hotfix 19.12.9100.6

Citrix Virtual Apps and Desktops 2203 LTSR before CU5: Hotfix 22.03.5100.11

Citrix Virtual Apps and Desktops 2402 LTSR before CU1: Hotfix 24.02.1200.16

Clash of heads

A Citrix spokesperson also told The Register it rejects watchTowr's assertion that the vulnerability can be described as an unauthenticated RCE.

"Please note that based on the analysis by the security team, this is not an unauthenticated RCE. It is an authenticated RCE that can be done only as a NetworkService account," said the spokesperson.

We're told Citrix plans to publish a blog later today outlining exactly why it disagrees with the researchers over at watchTowr. A spokesperson for the latter, conversely, told The Register in response to the vendor's advisory that Citrix is downplaying the severity of the issue.

"Citrix is downplaying the severity of this vulnerability as a medium priority when it's really point-click-full-takeover," said watchTowr.

Citrix assigned two separate CVE identifiers for the vulnerabilities that underpin the exploit:

CVE-2024-8068 (5.1 CVSSv4): A privilege escalation flaw to access a NetworkService account. An attacker would also need to be authenticated in the same Active Directory domain as the session recording server domain.

CVE-2024-8068 (5.1 CVSSv4): Limited RCE flaw. An attacker requires access to a NetworkService account and be authenticated on the victim's intranet.

The descriptions of the vulnerabilities supplied by Citrix do indeed downplay the tone adopted by the researchers. They suggest there are significantly higher hurdles for an attacker to surmount than originally thought.

watchTowr remains insistent that its PoC works as first described, however. ®