Description of Problem
Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in:
- A user who has access to a Windows Virtual Desktop being able to escalate their privilege level on that Windows Virtual Desktop to SYSTEM.
- Remote compromise of a Windows Virtual Desktop which has Windows file sharing (SMB) enabled.
These vulnerabilities have the following identifiers:
CVE ID | Description | Vulnerability Type | Pre-conditions |
CVE-2020-8269 | An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM | CWE-269: Improper Privilege Management | The attacker must be an authenticated user on the Windows VDA with write access to the C:\ directory |
CVE-2020-8270 | An unprivileged Windows user on the VDA or a SMB user can perform arbitrary command execution as SYSTEM | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‹OS Command Injection›) | The attacker must be an authenticated user on the Windows VDA or be authenticated to Windows SMB service running on the VDA |
The vulnerabilities affect the following supported versions of Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2006 and earlier versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 and earlier versions of 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 and earlier versions of 7.15 LTSR
- Citrix XenApp / XenDesktop 7.6 LTSR CU8 and earlier versions of 7.6 LTSR
Please note that Citrix XenApp / XenDesktop 7.6 LTSR is not affected by CVE-2020-8270.
Mitigating Factors
CVE-2020-8269 – This issue is only exploitable if low-privilege users have been granted permission to write files to the C:\ directory. This permission is not default in Windows and Citrix recommends that users are only granted the permissions they require.
CVE-2020-8270 – A remote compromise is only possible when Windows file sharing (SMB) is enabled on the Windows Virtual Desktop. If authentication is required for SMB then an attacker must also be able to authenticate in order to remotely compromise the Virtual Desktop.
What Customers Should Do
The issues have been addressed in the following versions of Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2009 or later
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 hotfixes CTX285870, CTX285871, CTX285872 and CTX286120, and later cumulative updates
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 hotfixes CTX285341, CTX285342 and CTX285344, and later cumulative updates
- Citrix XenApp / XenDesktop 7.6 LTSR CU9 and later cumulative updates
Citrix strongly recommends that customers upgrade to a fixed version as soon as possible.
The latest versions of Citrix Virtual Apps and Desktops are available from the following location:
Hotfixes to address the issues in Citrix Virtual Apps and Desktops 1912 LTSR and Citrix XenApp / XenDesktop 7.15 LTSR can be downloaded from the following locations:
Citrix Virtual Apps and Desktops 1912 CU1
CTX285870 – https://support.citrix.com/article/CTX285870
CTX285871 – https://support.citrix.com/article/CTX285871
CTX285872 – https://support.citrix.com/article/CTX285872
CTX286120 – https://support.citrix.com/article/CTX286120
Citrix XenApp / XenDesktop 7.15 CU6
CTX285341 – https://support.citrix.com/article/CTX285341
CTX285342 – https://support.citrix.com/article/CTX285342
CTX285344 – https://support.citrix.com/article/CTX285344
Customers should ensure they have installed the latest cumulative update and then apply all hotfixes for that version.
Acknowledgements
Citrix would like to thank Hannay Al-Mohanna of F-Secure Consulting and Michael Garrison of State Farm Information Security for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.