Cybersecurity researchers have disclosed critical vulnerabilities in Citrix Virtual Apps and Desktops that could allow unauthenticated remote code execution (RCE) attacks. The flaws, found in the Session Recording component, arise from a misconfigured Microsoft Message Queuing (MSMQ) instance that improperly exposes permissions and utilizes BinaryFormatter for deserialization. This combination allows attackers to craft specially designed MSMQ messages that could be sent over HTTP, potentially leading to the execution of malicious code on affected systems.
The vulnerabilities are identified as CVE-2024-8068 and CVE-2024-8069. CVE-2024-8068 (CVSS score: 5.1) allows privilege escalation to the NetworkService account, while CVE-2024-8069 (CVSS score: 5.1) enables limited remote code execution with NetworkService account privileges. These flaws occur due to excessive permissions on the MSMQ instance, which enables remote access via HTTP, even though the messages are supposed to be transmitted locally. The flaws have been addressed in Citrix Virtual Apps and Desktops versions 2407 hotfix 24.5.200.8, 1912 LTSR before CU9, 2203 LTSR before CU5, and 2402 LTSR before CU1.
Despite Citrix’s assessment that exploitation requires authentication and that attackers would need to be within the same Windows Active Directory domain and intranet as the affected server, researchers have raised concerns about the true severity of the vulnerability. The flaws could potentially allow for unauthenticated access under certain conditions, making the threat much more dangerous than initially understood. Experts suggest that these flaws could lead to full system takeover, as attackers could escalate privileges and execute arbitrary code.
In response to the findings, Citrix has urged users to update their installations to the latest versions. Microsoft has also strongly advised developers to stop using BinaryFormatter due to its vulnerability when handling untrusted input. As of August 2024, BinaryFormatter has been removed from .NET 9. This incident highlights the continued risks of misconfigured services and outdated methods, stressing the importance of staying current with security updates to mitigate potential exploitation.