Critical Vulnerabilities in Citrix Virtual Apps and Desktops Actively Exploited

Two vulnerabilities in Citrix’s “Virtual Apps and Desktops” remote access solution, CVE-2024-8068 and CVE-2024-8069, are actively being exploited in the wild, according to a report from Johannes B. Ullrich, Ph.D., Dean of Research at SANS.edu. These vulnerabilities arise from a confluence of factors, including an exposed and misconfigured Microsoft Message Queuing (MSMQ) instance coupled with the utilization of the insecure BinaryFormatter class within the Citrix software stack.

The exposed MSMQ service, accessible via HTTP, allows unauthorized remote attackers to interact with the service. Exploitation of this vulnerability, in conjunction with the inherent insecurity of the BinaryFormatter class, enables attackers to execute arbitrary code with the privileges of the NetworkService account. This effectively grants attackers significant control over the affected Citrix server and all associated virtual desktop sessions.

Citrix’s Session Recording Manager, a component designed to facilitate administrative review of user sessions, also has a deserialization vulnerability. This vulnerability provides an additional attack vector for malicious actors to compromise the system. Proof-of-concept (PoC) exploit code for this vulnerability has been publicly released on GitHub.

Evidence suggests that these vulnerabilities are actively being exploited. Analysis conducted by Dr. Johannes B. Ullrich, Dean of Research at SANS Institute, indicates that attackers are leveraging these flaws to execute malicious payloads delivered via a command-and-control server potentially located in Johannesburg, South Africa. The Shadowserver Foundation confirmed that exploitation attempts began on November 13th.

We started seeing Citrix Virtual Apps and Desktops CVE-2024-8068/CVE-2024-8069 PoC based attempts at around 16:00 UTC today, shortly after publication.

While there is discussion on whether these are remotely exploitable without auth, we urge you to update your installations NOW pic.twitter.com/LdOEmfGXUX

— The Shadowserver Foundation (@Shadowserver) November 12, 2024

Citrix has released a security bulletin acknowledging these vulnerabilities and urging customers to apply the latest patches for Session Recording Manager immediately.

Related Posts:

• CVE-2024-8068 & CVE-2024-8069: Citrix Session Recording Manager Unauthenticated RCE Exploits Publicly Available
• PoC Exploit for NetScaler CVE-2023-4966 Flaw Published
• X-Force Alert: Cybercriminals Zero In on Unsecured Citrix NetScaler Gateways
• Cloud Software Group Confirms CVE-2024-6387 Exposure in NetScaler
• Mandiant Exposes Ongoing Exploits Against Citrix Users