Description of Problem
A vulnerability has been discovered in the Citrix Secure Access client for Windows.
The following supported versions are affected by the vulnerability:
- Versions before 23.5.1.3
The issue has the following identifier:
| CVE ID | Description | Pre-requisites | CWE | CVSS |
|---|---|---|---|---|
| CVE-2023-24491 | Local Privilege escalation to NT AUTHORITY\SYSTEM | Access to an endpoint with Standard User Account that has the vulnerable client installed | CWE-269 | 7.8 |
What Customers Should Do
This issue has been addressed in the following versions of the Citrix Secure Access client for Windows:
- 23.5.1.3 and later releases
Citrix recommends that customers who are affected by the above vulnerability upgrade the Citrix Secure Access client for Windows installed on their endpoints by taking the following actions as soon as possible:
- If Citrix Secure Access client for Windows is distributed via the SSL VPN upgrade control feature of Citrix ADC or Citrix Gateway:
Check the versions of the Citrix Secure Access client for Windows that are being distributed by each Citrix ADC or Citrix Gateway instance. This can be done using either GUI (instructions at: https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html) or by viewing the file located at /var/netscaler/gui/vpn/pluginlist.xml. If it is a vulnerable version, customers must:
- Replace the vulnerable client on the Citrix ADC or Citrix Gateway by following the instructions at: https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html.
Information about the upgrade control feature is detailed at: https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/how-users-connect-with-gateway-plugin.html#control-upgrade-of-citrix-gateway-plug-ins
- If the Citrix Secure Access client is distributed/upgraded directly onto users› devices:
Customers must install the above-mentioned fixed client on their users› devices by downloading them from https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html