Windows Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2024-6151
Security Bulletin | Severity: High | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final
Applicable Products
- Citrix Virtual Apps and Desktops
Description of Problem
A vulnerability has been identified that impacts Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS. Refer to below for further details:
Affected Versions
The vulnerability affects the following supported versions of Windows Virtual Delivery Agent:
Current Release (CR)
- Citrix Virtual Apps and Desktops versions before 2402
Long Term Service Release (LTSR)
- Citrix Virtual Apps and Desktops 1912 LTSR before CU9
- Citrix Virtual Apps and Desktops 2203 LTSR before CU5
Summary
Windows Virtual Delivery Agent contains the vulnerability mentioned below
| CVE ID | Description | Pre-requisites | CWE | CVSS |
| CVE-2024-6151 | Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges | Local access to the target system | CWE-269: Improper Privilege Management | CVSS v4.0 Base Score: 8.5(CVS:4.0/AV:L/AV:L/AT:N/PR:L/UI:N/VCH/VI:H/VA:H/SC:N/S:N/S:N) |
What Customers Should Do
Citrix strongly recommends that customers upgrade their Windows Virtual Delivery Agent to versions that contain the fixes as soon as possible.
Windows Virtual Delivery Agent versions that contain the fixes are:
Current Release (CR)
- Citrix Virtual Apps and Desktops 2402 and later versions
Long Term Service Release (LTSR)
- Citrix Virtual Apps and Desktops 1912 LTSR CU9 and later cumulative updates
- Citrix Virtual Apps and Desktops 2203 LTSR CU5 and later cumulative updates
- Citrix Virtual Apps and Desktops 2402 LTSR