New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration

Avatar
Cybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE) The issue, per findings from watchTowr, is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the
[[{“value”:”

Cybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE)

The issue, per findings from watchTowr, is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the desktop for audit, compliance, and troubleshooting purposes.

Particularly, the vulnerability exploits the “combination of a carelessly-exposed MSMQ instance with misconfigured permissions that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE,” security researcher Sina Kheirkhah said.

The vulnerability details are listed below –

CVE-2024-8068 (CVSS score: 5.1) – Privilege escalation to NetworkService Account access
CVE-2024-8069 (CVSS score: 5.1) – Limited remote code execution with the privilege of a NetworkService Account access

However, Citrix noted that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server domain and on the same intranet as the session recording server. The defects have been addressed in the following versions –

Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8
Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6
Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11
Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16

It’s worth noting that Microsoft has urged developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter has been removed from .NET 9 as of August 2024.

“BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category,” the tech giant notes in its documentation. “As a result, the code does not follow modern best practices. BinaryFormatter.Deserialize may be vulnerable to other attack categories, such as information disclosure or remote code execution.”

At the heart of the problem is the Session Recording Storage Manager, a Windows service that manages the recorded session files received from each computer that has the feature enabled.

While the Storage Manager receives the session recordings as message bytes via the Microsoft Message Queuing (MSMQ) service, the analysis found that a serialization process is employed to transfer the data and that the queue instance has excessive privileges.

To make matters worse, the data received from the queue is deserialized using BinaryFormatter, thereby allowing an attacker to abuse the insecure permissions set during the initialization process to pass specially crafted MSMQ messages sent via HTTP over the internet.

“We know there is a MSMQ instance with misconfigured permissions, and we know that it uses the infamous BinaryFormatter class to perform deserialization,” Kheirkhah said, detailing the steps to create an exploit. “The ‘cherry on top’ is that it can be reached not only locally, through the MSMQ TCP port, but also from any other host, via HTTP.”

“This combo allows for a good old unauthenticated RCE,” the researcher added.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

Next Post

Surge in exploits of zero-day vulnerabilities is ‘new normal’ warns Five Eyes alliance

Related Posts

Social Media Accounts: The Weak Link in Organizational SaaS Security

Social media accounts help shape a brand’s identity and reputation. These public forums engage directly with customers as they are a hub to connect, share content and answer questions. However, despite the high profile role these accounts have, many organizations overlook social media account security. Many lack the safeguards to prevent unauthorized access — a situation no organization wants as
Avatar
Read More

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. "Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to
Avatar
Read More

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security. "We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025," Mayank Upadhyay, vice president of engineering and distinguished engineer at
Avatar
Read More