Advisory addresses two vulnerabilities that could allow privilege escalation and remote code execution

Threat ID:CC-4572

Threat Severity:Medium

Published:13 November 2024 12:45 PM

Summary

Affected platforms

The following platforms are known to be affected:

Citrix Session Recording

Current Release prior to 2407 hotfix 24.5.200.8

Version 2402 LTSR prior to CU1 hotfix 24.02.1200.16

Version 2203 LTSR prior to CU5 hotfix 22.03.5100.11

Version 1912 LTSR prior to CU9 hotfix 19.12.9100.6

Threat details

Exploitation of CVE-2024-8068 and CVE-2024-8069

Security researchers have observed exploitation of CVE-2024-8068 and CVE-2024-8069 in the wild. A public proof-of-concept exploit and a technical analysis of the vulnerabilities has also been published. This information may be used by attackers to target these vulnerabilities in an exploit chain, increasing the likelihood of successful exploitation.

Introduction

Citrix has released a security advisory to address two vulnerabilities in Session Recording. Citrix Session Recording is a feature of Virtual Apps and Desktops, which is a virtual desktop infrastructure (VDI) solution, providing users with a secure desktop experience on any device.

Vulnerability Details

CVE-2024-8068 is an 'improper privilege management' vulnerability in Session Recording with a CVSSv4 score of 5.1, which if exploited could allow a remote, authenticated attacker to perform privilege escalation to the NetworkService account.

CVE-2024-8069 is a 'deserialisation of untrusted data' vulnerability in Session Recording with a CVSSv4 score of 5.1, which if exploited could allow a remote, authenticated attacker to execute arbitrary code on the session recording server.

CVE-2024-8068 and CVE-2024-8069 can be chained together, allowing a remote, authenticated attacker to perform remote code execution on the underlying server with SYSTEM privileges.

Security researchers are claiming that CVE-2024-8068 and CVE-2024-8069 do not require authentication to exploit. If this claim is true, a remote, unauthenticated attacker could execute arbitrary code with SYSTEM privileges on the Virtual Apps and Desktops server.

Threat updates


15 Nov 2024	Replaced 'Citrix Virtual Apps and Desktops' with 'Citrix Session Recording' to better reflect the affected product, according to the revised Citrix advisory.

Remediation advice

Affected organisations are strongly encouraged to review Citrix Security Bulletin CTX691941 and apply the relevant updates as soon as practicable.

Definitive source of threat updates

https://support.citrix.com/s/article/CTX691941-citrix-session-recording-security-bulletin-for-cve20248068-and-cve20248069?language=en_US

CVE Vulnerabilities

StatusPublished

CVE-2024-8068Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain

StatusPublished

CVE-2024-8069Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server

Last edited: 15 November 2024 2:01 pm