A vulnerability has been discovered in Citrix Workspace app for Mac, which, if exploited, may result in a session hijack of a user who is authenticated on cloud stores.
Affected Versions:
The following supported versions of Citrix Workspace app for Mac are affected by the vulnerability: Citrix Workspace app for Mac before 2409
Summary:
CVE ID
Description
Pre-requisites
CWE
CVSS
CVE-2024-7549
Possible session hijack of a user who is authenticated on cloud store
Citrix Workspace app authenticated user using cloud store may be impacted when:Accessing SaaS/Web appOR Accessing CVAD apps or desktops using Custom Workspace URL
CWE-287: Improper Authentication
CVSS v4.0 Base Score: 6.9(CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
What Customers Should Do
Cloud Software Group strongly urges affected customers of Citrix Workspace app for Mac to install the relevant updated versions of Citrix Workspace app for Mac as soon as possible:
Windows Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2024-6151
Security Bulletin | Severity: High | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final
Applicable Products
Citrix Virtual Apps and Desktops
Description of Problem
A vulnerability has been identified that impacts Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS. Refer to below for further details:
Affected Versions
The vulnerability affects the following supported versions of Windows Virtual Delivery Agent:
Current Release (CR)
Citrix Virtual Apps and Desktops versions before 2402
Long Term Service Release (LTSR)
Citrix Virtual Apps and Desktops 1912 LTSR before CU9
Citrix Virtual Apps and Desktops 2203 LTSR before CU5
Summary
Windows Virtual Delivery Agent contains the vulnerability mentioned below
CVE ID
Description
Pre-requisites
CWE
CVSS
CVE-2024-6151
Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges
Local access to the target system
CWE-269: Improper Privilege Management
CVSS v4.0 Base Score: 8.5(CVS:4.0/AV:L/AV:L/AT:N/PR:L/UI:N/VCH/VI:H/VA:H/SC:N/S:N/S:N)
What Customers Should Do
Citrix strongly recommends that customers upgrade their Windows Virtual Delivery Agent to versions that contain the fixes as soon as possible.
Windows Virtual Delivery Agent versions that contain the fixes are:
Current Release (CR)
Citrix Virtual Apps and Desktops 2402 and later versions
Long Term Service Release (LTSR)
Citrix Virtual Apps and Desktops 1912 LTSR CU9 and later cumulative updates
Citrix Virtual Apps and Desktops 2203 LTSR CU5 and later cumulative updates
XenServer and Citrix Hypervisor Security Update for CVE-2024-5661
Security Bulletin | Severity: Medium | Created: 11 Jun 2024 | Modified: 11 Jun 2024 | Status: Final
Applicable Products
Citrix Hypervisor
Description of Problem
An issue has been identified in both XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR which may allow a malicious administrator of a guest VM to cause the host to become slow and/or unresponsive. This issue has the following identifier:
For customers using XenServer 8, we have pushed an update to both the Early Access and Normal update channels. We recommend that customers update to the latest version from their chosen channel following the instructions at https://docs.xenserver.com/en-us/xenserver/8/update
For customers using Citrix Hypervisor 8.2 CU1 LTSR, we have released a hotfix to address this issue. We recommend that customers install this hotfix and follow the instructions in the linked article as their update schedule permits. The hotfix can be downloaded from the following location:
Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.
A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.
This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.
This bulletin only applies to customer-managed ShareFile storage zones controllers. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.
The issue has been given the following identifier:
CVE ID
Affected Products
Description
Pre-requisites
CWE
CVSS
CVE-2023-24489
Citrix Content Collaboration
Improper resource control allows unauthenticated remote compromise
Network access to the ShareFile storage zones controller
All customer-managed ShareFile storage zones controllers versions prior to the latest version 5.11.24 have been blocked to protect our customers. Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.
Customers should shut down any machine that was running an affected version of the storage zones controller software.
