Citrix Quickly Responds to Zero-Day Recording Manager Vulnerabilities

November 12, 2024

Citrix has swiftly released patches for two vulnerabilities in its Citrix Virtual Apps and Desktop technology, which could allow a remote attacker to escalate privileges or execute code of their choice on vulnerable systems. The company insists that these remote code execution (RCE) vulnerabilities can only be abused by previously authenticated attackers. However, watchTowr, the research group that discovered the flaws and developed a proof-of-concept exploit (PoC), contends that these are point-and-click vulnerabilities that can be exploited by unauthenticated attackers with relative ease.

The vulnerabilities in question are tracked by Citrix as CVE-2024-8068 and CVE-2024-8069. They affect the Session Recording Manager component of the thin-client technology, which allows administrators to capture, store, and manage recordings of user sessions. The vulnerabilities stem from a weakness in how the Session Recording Manager deserializes or unpacks data that has been converted into a format that is easy to store and transmit.

Citrix initially claimed that it was unable to reproduce the issue, but later acknowledged the problem after watchTowr provided them with a PoC exploit for the vulnerability. In an advisory issued on Nov. 12, Citrix described CVE-2024-8068 as a privilege escalation vulnerability that allows an authenticated user in the same Windows Active Directory domain as the session recording server to gain NetworkService Account access. According to Citrix, CVE-2024-8069 is a 'limited' RCE for attackers with admin level account access on vulnerable systems.

Despite these vulnerabilities, Citrix has only assigned them medium severity scores of 5.1 out of 10 on the CVSS vulnerability rating scale, a decision that watchTowr disputes. Benjamin Harris, CEO of watchTowr, stated, 'Citrix is downplaying the severity of this vulnerability as a medium priority when it’s really point-click-full-takeover.' Harris further explained that the combination of the two vulnerabilities allows for a 'good old unauthenticated RCE.'

Citrix's Virtual Apps and Desktop technology is a flagship Citrix solution, targeted at Fortune 500 organizations. It allows users to access their applications and desktop environments from anywhere and on any device. The Session Recording feature of the technology, where the flaws were discovered, enables admins to monitor for anomalous behavior and maintain a detailed record of user activity for future audit and troubleshooting purposes.

Demand for such technologies has surged in recent years as companies have increasingly adopted remote and hybrid work models. The market for these technologies is projected to reach $1.7 billion in 2028, up from around $1.5 billion last year. The broader desktop as a service (DaaS) market is expected to reach nearly $19 billion by 2030, up from just over $4 billion in 2021.

The vulnerabilities were discovered by watchTowr during an examination of Citrix's Virtual Apps and Desktop's architecture for potential security issues. The security vendor found that Citrix's app uses Microsoft's Message Queuing (MSMQ) service to receive recorded user session files and to store them in a separate storage manager component. Furthermore, watchTowr found that Citrix was using a Microsoft technology called BinaryFormatter to deserialize data in the storage manager component when needed, a technology that Microsoft has urged organizations to stop using due to unfixable security weaknesses.

Harris noted that the vulnerabilities originated from a combination of an Internet-accessible MSMQ instance in the session recording component of Citrix's Virtual Apps and Desktop technology and misconfigured permissions related to BinaryFormatter. He stated, 'This isn't really a bug in the BinaryFormatter itself, nor a bug in MSMQ, but rather the unfortunate consequence of Citrix relying on the documented-to-be-insecure BinaryFormatter to maintain a security boundary.'

Citrix's technologies are often targeted by attackers due to the high level of access they provide to enterprise applications and data. Many of the recently reported security flaws have impacted the company's NetScaler ADC and NetScaler Gateway remote access platforms.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.