Windows Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2024-6151
Security Bulletin | Severity: High | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final
Applicable Products
Citrix Virtual Apps and Desktops
Description of Problem
A vulnerability has been identified that impacts Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS. Refer to below for further details:
Affected Versions
The vulnerability affects the following supported versions of Windows Virtual Delivery Agent:
Current Release (CR)
Citrix Virtual Apps and Desktops versions before 2402
Long Term Service Release (LTSR)
Citrix Virtual Apps and Desktops 1912 LTSR before CU9
Citrix Virtual Apps and Desktops 2203 LTSR before CU5
Summary
Windows Virtual Delivery Agent contains the vulnerability mentioned below
CVE ID
Description
Pre-requisites
CWE
CVSS
CVE-2024-6151
Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges
Local access to the target system
CWE-269: Improper Privilege Management
CVSS v4.0 Base Score: 8.5(CVS:4.0/AV:L/AV:L/AT:N/PR:L/UI:N/VCH/VI:H/VA:H/SC:N/S:N/S:N)
What Customers Should Do
Citrix strongly recommends that customers upgrade their Windows Virtual Delivery Agent to versions that contain the fixes as soon as possible.
Windows Virtual Delivery Agent versions that contain the fixes are:
Current Release (CR)
Citrix Virtual Apps and Desktops 2402 and later versions
Long Term Service Release (LTSR)
Citrix Virtual Apps and Desktops 1912 LTSR CU9 and later cumulative updates
Citrix Virtual Apps and Desktops 2203 LTSR CU5 and later cumulative updates
XenServer and Citrix Hypervisor Security Update for CVE-2024-5661
Security Bulletin | Severity: Medium | Created: 11 Jun 2024 | Modified: 11 Jun 2024 | Status: Final
Applicable Products
Citrix Hypervisor
Description of Problem
An issue has been identified in both XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR which may allow a malicious administrator of a guest VM to cause the host to become slow and/or unresponsive. This issue has the following identifier:
For customers using XenServer 8, we have pushed an update to both the Early Access and Normal update channels. We recommend that customers update to the latest version from their chosen channel following the instructions at https://docs.xenserver.com/en-us/xenserver/8/update
For customers using Citrix Hypervisor 8.2 CU1 LTSR, we have released a hotfix to address this issue. We recommend that customers install this hotfix and follow the instructions in the linked article as their update schedule permits. The hotfix can be downloaded from the following location:
Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.
A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.
This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.
This bulletin only applies to customer-managed ShareFile storage zones controllers. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.
The issue has been given the following identifier:
CVE ID
Affected Products
Description
Pre-requisites
CWE
CVSS
CVE-2023-24489
Citrix Content Collaboration
Improper resource control allows unauthenticated remote compromise
Network access to the ShareFile storage zones controller
All customer-managed ShareFile storage zones controllers versions prior to the latest version 5.11.24 have been blocked to protect our customers. Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.
Customers should shut down any machine that was running an affected version of the storage zones controller software.
This issue has been addressed in the following versions of Citrix Secure Access client for Ubuntu:
23.5.2 and later releases
Citrix recommends that customers who are affected by the above vulnerability upgrade the Citrix Secure Access client for Ubuntu installed on their endpoints by taking the following actions as soon as possible:
If Citrix Secure Access client for Ubuntu is distributed via the SSL VPN upgrade control feature of Citrix ADC or Citrix Gateway:
Check the versions of Citrix Secure Access client for Ubuntu that are being distributed by each Citrix ADC or Citrix Gateway instance. This can be done by viewing the file located at /var/netscaler/gui/vpn/scripts/linux/clientversions.xml. If it is a vulnerable version, customers must:
Citrix thanks Rilke Petrosky of F2TC Cyber Security for working with us to protect Citrix customers.
What Citrix is Doing
Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.
Subscribe to Receive Alerts
Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.
Disclaimer
This document is provided on an «as is» basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.
