CVE-2024-8068 & CVE-2024-8069: Citrix Session Recording Manager Unauthenticated RCE Exploits Publicly Available

by do son · Published November 12, 2024 · Updated November 12, 2024

Security researchers at watchTowr have uncovered two critical vulnerabilities in Citrix Session Recording Manager that, when chained together, allow unauthenticated remote code execution (RCE) on Citrix Virtual Apps and Desktops. This discovery raises serious concerns for organizations relying on these platforms, as attackers could exploit these flaws to gain complete control over vulnerable systems.

The vulnerabilities, tracked as CVE-2024-8068 and CVE-2024-8069, stem from a combination of an exposed Microsoft Message Queuing (MSMQ) instance with misconfigured permissions and the use of the insecure BinaryFormatter class. This allows attackers to reach the vulnerable MSMQ service from any host via HTTP and execute arbitrary code with the privileges of a NetworkService account.

“A carelessly-exposed MSMQ instance can be exploited, via HTTP, to enable unauthenticated RCE against Citrix Virtual Apps and Desktops,” explains watchTowr security researcher Sina Kheirkhah.

However, Citrix emphasized that exploitation of these vulnerabilities requires attackers to have authenticated access to the Windows Active Directory domain and be present on the same intranet as the targeted session recording server.

Kheirkhah has published a detailed technical analysis of the vulnerabilities on his blog, along with proof-of-concept exploit code on GitHub, further highlighting the urgency of addressing these flaws.

Citrix has responded to these findings by releasing a security bulletin and urging customers to update their Session Recording Manager installations to the latest patched versions as soon as possible. The affected versions include:

Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8
Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6
Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11
Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16

Microsoft itself has acknowledged the inherent insecurity of BinaryFormatter, recommending its deprecation in favor of safer alternatives.

Citrix’s Session Recording Manager is commonly used by administrators for auditing, compliance, and troubleshooting within Citrix Virtual Apps and Desktops. The tool records user activity, including keyboard and mouse inputs and video of the desktop session. If exploited, the vulnerability could allow attackers to gain unauthorized access to sensitive user data and even manipulate session recordings, raising severe privacy and compliance concerns for organizations.

Organizations using Citrix Virtual Apps and Desktops are strongly advised to prioritize patching their systems to mitigate the risk of potential attacks. Delaying these updates could leave them vulnerable to severe security breaches and operational disruptions.