by Daniel Ruiz
Senior Solutions Architect
On November 10th 2020, Citrix announced new Citrix Virtual Apps and Desktop (CVAD) Security Vulnerabilities. Customers should ensure they have installed the latest cumulative update and then apply all hotfixes for that version.
Vulnerabilities:
- A user who has access to a Windows Virtual Desktop being able to escalate their privilege level on that Windows Virtual Desktop to SYSTEM.
- Remote compromise of a Windows Virtual Desktop which has Windows file sharing (SMB) enabled.
Affected CVAD versions:
- Citrix Virtual Apps and Desktops 2006 and earlier versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 and earlier versions of 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 and earlier versions of 7.15 LTSR
- Citrix XenApp / XenDesktop 7.6 LTSR CU8 and earlier versions of 7.6 LTSR
Mitigating Factors:
This issue is only exploitable if low-privilege users have been granted permission to write files to the C:\ directory. This permission is not default in Windows and Citrix recommends that users are only granted the permissions they require.
A remote compromise is only possible when Windows file sharing (SMB) is enabled on the Windows Virtual Desktop. If authentication is required for SMB then an attacker must also be able to authenticate in order to remotely compromise the Virtual Desktop.
Hotfixes for 1912 LTSR and 7.15 LTSR :
The issues have been addressed in the following versions:
- Citrix Virtual Apps and Desktops 2009 or later
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 hotfixes CTX285870, CTX285871, CTX285872 and CTX286120, and later cumulative updates
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 hotfixes CTX285341, CTX285342 and CTX285344, and later cumulative updates
- Citrix XenApp / XenDesktop 7.6 LTSR CU9 and later cumulative updates
Citrix Virtual Apps and Desktops 1912 CU1:
Citrix XenApp / XenDesktop 7.15 CU6:
If you would like more information or assistance from our industry-leading team of Citrix experts to plan and execute the upgrade, please contact us at service@helient.com.