Citrix has addressed a critical vulnerability in its Secure Access client for Ubuntu that could potentially lead to remote code execution (RCE). The company announced the release of these patches on Tuesday. This vulnerability, identified as CVE-2023-24492 with a CVSS score of 9.6, could be exploited to achieve RCE. However, according to Citrix's advisory, user interaction is required for the exploitation of this issue.
"A vulnerability has been discovered in the Citrix Secure Access client for Ubuntu which, if exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further prompts," reads the advisory from NIST. Citrix has not disclosed the technical specifics of the flaw but has confirmed that it is addressed in version 23.5.2 of the Secure Access client for Ubuntu.
In addition to this, Citrix also announced on Tuesday that it has patched a high-severity elevation of privilege vulnerability in the Secure Access client for Windows. This vulnerability, tracked as CVE-2023-24491 and with a CVSS score of 7.8, allows an attacker with access to an endpoint with Standard User Account and a vulnerable client to elevate privileges to that of NT AuthoritySystem. This issue has been resolved with the release of Secure Access client for Windows version 126.96.36.199.
Both vulnerabilities were reported by Rilke Petrosky of F2TC Cyber Security. Citrix is advising its customers to update their installations as soon as possible. This can be done by replacing the vulnerable client on the Citrix ADC or Gateway, if it is distributed via the SSL VPN upgrade control feature of ADC or Gateway. Citrix also releases the Secure Access clients on a standalone basis, and customers can install/update the patched version directly on user devices.
Citrix has not reported any instances of these vulnerabilities being exploited in attacks. However, it is not unusual for unpatched Citrix products to be targeted in malicious attacks. More details on these vulnerabilities can be found on Citrix’s security bulletins page.