Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890

Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890

by | Sep 10, 2024 | ALARM, ctx_adc, ctx_workspace

Title

Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890

CTX Number

CTX691485

Article Type

Security Bulletin

Created Date

10/Sep/2024

Last Modified Date

10/Sep/2024

Severity

High

Solution

Description of Problem

Two vulnerabilities have been discovered that impact the Citrix Workspace app for Windows.

Affected Versions

The vulnerabilities affect the following supported versions of the Citrix Workspace app for Windows.

Current Release (CR)

  • Citrix Workspace app for Windows versions BEFORE 2405

Long Term Service Release (LTSR)

  • Citrix Workspace app for Windows versions BEFORE 2402 LTSR CU1

Summary

CVE-ID Description Pre-conditionsCWECVSS
CVE-2024-7889 Local privilege escalation allows a low-privileged user to gain SYSTEM privileges Local access to the target system CWE-664: Improper Control of a Resource Through its LifetimeCVSS v4.0 Base Score: 7.0CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE-2024-7890Local privilege escalation allows a low-privileged user to gain SYSTEM privileges Local access to the target systemCWE-269: Improper Privilege ManagementCVSS v4.0 Base Score: 5.4CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 

What Customers Should Do

Citrix strongly recommends that customers upgrade their Citrix Workspace app for Windows to versions that contain the fixes as soon as possible.  

Citrix Workspace app for Windows versions that contain the fixes are: 

Current Release (CR)

  • Citrix Workspace app for Windows 2405 and later versions 

Long Term Service Release (LTSR)

Citrix Workspace app for Windows 2402 CU1 LTSR and later versions 

Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890

CTX678035

by | Jul 9, 2024 | ALARM, ctx_workspace

Windows Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2024-6151

Security Bulletin | Severity: High | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final

Applicable Products

  • Citrix Virtual Apps and Desktops

Description of Problem

A vulnerability has been identified that impacts Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS. Refer to below for further details: 

Affected Versions

The vulnerability affects the following supported versions of Windows Virtual Delivery Agent: 

Current Release (CR)

  • Citrix Virtual Apps and Desktops versions before 2402 

Long Term Service Release (LTSR)

  • Citrix Virtual Apps and Desktops 1912 LTSR before CU9
  • Citrix Virtual Apps and Desktops 2203 LTSR before CU5 

Summary

Windows Virtual Delivery Agent contains the vulnerability mentioned below 

CVE ID          DescriptionPre-requisites    CWECVSS
CVE-2024-6151Local Privilege escalation allows a low-privileged user to gain SYSTEM privilegesLocal access to the target systemCWE-269: Improper Privilege ManagementCVSS v4.0 Base Score: 8.5(CVS:4.0/AV:L/AV:L/AT:N/PR:L/UI:N/VCH/VI:H/VA:H/SC:N/S:N/S:N) 

What Customers Should Do

Citrix strongly recommends that customers upgrade their Windows Virtual Delivery Agent to versions that contain the fixes as soon as possible.  

Windows Virtual Delivery Agent versions that contain the fixes are: 

Current Release (CR)

  • Citrix Virtual Apps and Desktops 2402 and later versions 

Long Term Service Release (LTSR)

  • Citrix Virtual Apps and Desktops 1912 LTSR CU9 and later cumulative updates
  • Citrix Virtual Apps and Desktops 2203 LTSR CU5 and later cumulative updates
  • Citrix Virtual Apps and Desktops 2402 LTSR
Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890

CTX677998

by | Jul 9, 2024 | ALARM, ctx_adc

NetScaler Console, Agent and SVM Security Bulletin for CVE-2024-6235 and CVE-2024-6236

Security Bulletin | Severity: Critical | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final

Applicable Products

  • Citrix Application Delivery Management

Description of Problem

Two vulnerabilities have been discovered in NetScaler Console (formerly NetScaler ADM), NetScaler SVM, and NetScaler Agent. Refer to below for further details: 

Affected Versions

The following supported version of NetScaler Console (formerly NetScaler ADM) is affected by CVE-2024-6235: 

  • NetScaler Console 14.1 before 14.1-25.53

The following supported versions of NetScaler Console, NetScaler Agent and NetScaler SVM are affected by CVE-2024-6236: 

  • NetScaler Console 14.1 before 14.1-25.53
  • NetScaler Console 13.1 before 13.1-53.22
  • NetScaler Console 13.0 before 13.0-92.31
  • NetScaler SVM 14.1 before 14.1-25.53
  • NetScaler SVM 13.1 before 13.1-53.17
  • NetScaler SVM 13.0 before 13.0-92.31
  • NetScaler Agent 14.1 before 14.1-25.53
  • NetScaler Agent 13.1 before 13.1-53.22
  • NetScaler Agent 13.0 before 13.0-92.31

This bulletin only applies to the customer-managed NetScaler Console. Customers using Citrix-managed NetScaler Console Service do not need to take any action.

Summary

NetScaler Console contains the vulnerabilities mentioned below 

CVE ID          DescriptionPre-requisitesAffected Products    CWECVSS
CVE-2024-6235Sensitive information disclosureAccess to NetScaler Console IPNetScaler ConsoleCWE-287: Improper AuthenticationCVSS v4.0 Base Score: 9.4(CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) 
CVE-2024-6236Denial of ServiceAccess to NetScaler Console IP, NetScaler Agent IP, SVM IP NetScaler Console, NetScaler Agent, NetScaler SVMCWE-119: Improper Restriction of Operations within the Bounds of a Memory BufferCVSS v4.0 Base Score: 7.1(CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

What Customers Should Do

Cloud Software Group strongly urges customers of NetScaler Console to install the relevant updated versions of NetScaler Console as soon as possible: 

  • NetScaler Console 14.1-25.53 and later releases of 14.1
  • NetScaler Console  13.1-53.22 and later releases of 13.1
  • NetScaler Console  13.0-92.31 and later releases of 13.0
  • NetScaler SVM 14.1-25.53 and later releases of 14.1
  • NetScaler SVM 13.1-53.17 and later releases of 13.1
  • NetScaler SVM 13.0-92.31 and later releases of 13.0
  • NetScaler Agent 14.1-25.53and later releases of 14.1
  • NetScaler Agent  13.1-53.22 and later releases of 13.1
  • NetScaler Agent 13.0-92.31and later releases of 13.0
Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890

CTX678025

by | Jul 9, 2024 | ALARM, ctx_workspace

Citrix Provisioning Security Bulletin CVE-2024-6150

Security Bulletin | Severity: Medium | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final

Applicable Products

  • Provisioning Services

Description of Problem

A vulnerability has been discovered that impacts Citrix Provisioning. Refer to below for further details: 

Affected Versions

The vulnerability affects the following supported versions of Citrix Provisioning

Current Release (CR)

  • Citrix Provisioning versions before 2402 

Long Term Service Release (LTSR)

  • Citrix Provisioning versions before 2203 LTSR CU5
  • Citrix Provisioning versions before 1912 LTSR CU9

Summary

Citrix Provisioning contains the vulnerability mentioned below 

CVE ID          DescriptionPre-requisites    CWECVSS
CVE-2024-6150A non-admin user can cause short-term disruption in Target VM availabilityAn attacker must have access to the PVSboot.ini fileCWE-284: Improper Access ControlCVSS v4.0 Base Score: 4.8(CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) 

What Customers Should Do

Citrix strongly recommends that customers upgrade their Citrix Provisioning to versions that contain the fixes as soon as possible.  

Citrix Provisioning versions that contain the fixes are: 

Current Release (CR)

  • Citrix Provisioning 2402 and later versions 

Long Term Service Release (LTSR)

  • Citrix Provisioning 2203 LTSR CU5 and later versions
  • Citrix Provisioning 1912 LTSR CU9 and later versions
Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890

CTX677944

by | Jul 9, 2024 | ALARM, ctx_adc

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-5491 and CVE-2024-5492

Security Bulletin | Severity: High | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final

Applicable Products

  • NetScaler Gateway
  • NetScaler

Description of Problem

Two vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer to below for further details:

Affected Versions

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-25.53
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-53.17
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.31
  • NetScaler ADC 13.1-FIPS before 13.1-37.183
  • NetScaler ADC 12.1-FIPS before 12.1-55.304
  • NetScaler ADC 12.1-NDcPP before 12.1-55.304

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Summary

NetScaler ADC and NetScaler Gateway contain the vulnerabilities mentioned below 

CVE ID          DescriptionPre-requisites    CWECVSS
CVE-2024-5491Denial of ServiceADC or Gateway appliance configured with
SNMP (NSIP/SNIP)		CWE-119: Improper Restriction of Operations within the Bounds of a Memory BufferCVSS v4.0 Base Score: 7.1(CVSS:4.0/AV:A/AC:L/AT:NÅR:N/UI:N/VCH:N/VI:L/VA:H/SC:N/S:N/S:N) 
CVE-2024-5492Open redirect vulnerability allows a remote unauthenticated attacker to redirect users to arbitrary websitesRequires targeted user to access an attacker-controlled URL while being on a network with access to NSIPCWE-601: URL Redirection to Untrusted Site (‹Open Redirect›)CVSS v4.0 Base Score: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)

What Customers Should Do

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. 

  • NetScaler ADC and NetScaler Gateway 14.1-25.53 and later releases
  • NetScaler ADC and NetScaler Gateway   13.1-53.17 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway  13.0-92.31 and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.183 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.304 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.304 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.