by Daniel Ruiz
Senior Solutions Architect
Updated: July 14, 2021
Citrix recently announced a new vulnerability in Citrix Virtual Apps and Desktops (formally known as XenApp & XenDesktop) that if exploited, could allow a user of a Windows VDA with Citrix Profile Management or the Citrix Profile Management WMI Plugin installed with Local privilege escalation access.
Unfortunately, the Citrix Profile Management WMI Plugin is not displayed under Add/Remove programs. However it can be checked if installed by running the following PowerShell command on a VDA.
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where {$_.Publisher -Like “*Citrix*”} | Select-Object DisplayName,Publisher,DisplayVersion | Sort-Object DisplayName
The Citrix Profile Management WMI plug-in provides Profile Management runtime information in WMI objects, such as profile provider, profile type, size, and disk usage. Then the WMI objects provide session information to Director.
Helient and Citrix are recommending that customers test, and then deploy the relevant hotfix on to any affected Windows VDAs.
Vulnerability:
CVE-2021-22928 – Local privilege escalation on a Windows VDA
Versions of Citrix Virtual Apps and Desktops affected:
- Citrix XenApp / XenDesktop 7.15 LTSR CU7 and earlier versions of 7.15 LTSR
- Citrix Virtual Apps and Desktops 1912 LTSR CU3 and earlier versions of 1912 LTSR
- Citrix Virtual Apps and Desktops 2106 and earlier versions
- Citrix Virtual Apps and Desktops 2106 is only affected when Citrix Profile Management is installed on a Windows VDA as Citrix Profile Management WMI Plugin is not affected in this version.
Fix to address CVE-2021-22928:
The hotfixes can be downloaded from the following locations:
Citrix Virtual Apps and Desktops 2106
Citrix Virtual Apps and Desktops 1912 LTSR
Citrix XenApp / XenDesktop 7.15 LTSR
If you would like more information or assistance from our industry leading team of Citrix experts to plan and execute the upgrade, please contact us at service@helient.com.