Citrix and security researchers at watchTowr on Tuesday warned about security flaws in Citrix Session Recording that can allow an attacker to take control of a system.
The vulnerabilities include CVE-2024-8068, a privilege escalation that allows access to NetworkService Account access, and CVE-2024-8069, which allows limited remote code execution, with the privilege of a NetworkService account access.
Researchers at watchTowr said the flaw was discovered as part of the firm’s ongoing research into internal vulnerabilities and exploit development.
“At its core, the Citrix solution deserializes untrusted user data, using a .NET function provided by Microsoft (BinaryFormatter) that is known insecure, and Microsoft explicitly states cannot be made secure,” Benjamin Harris, CEO at watchTowr, said via email. “The user data is received by Citrix via an MSMQ queue, which we are able to access over the Internet via network services that are designed to be exposed to the internet for this solution to function.”
Microsoft warns the BinaryFormatter type is considered dangerous and says attackers leveraging deserialization vulnerabilities can cause denial of service, information disclosure or remote code execution inside the targeted application.
Shadowserver began to see threat activity based on the proof of concept starting at 11 a.m. Eastern (16:00 UTC), researchers said in a post on X. Shadowserver acknowledged the dispute over whether attackers needed to be authenticated, but urged users to still upgrade to a safer version of Citrix Session Recording right away.
Cloud Software Group, the parent of Citrix, urged Citrix Session Recording users to upgrade their software as soon as possible. The Cybersecurity and Infrastructure Security Agency also encouraged sers to review the bulletin and apply necessary upgrades.
Researchers at watchTowr first disclosed the flaw in mid-July, Citrix responded in early August saying they could not reproduce the flaw and watchTowr then provided the company a proof of concept and a video.
Citrix issued a security bulletin and watchTowr released an extensive blog on Tuesday, which was a mutually agreed upon disclosure date. However, a dispute has emerged over a key issue involving whether an attacker must be authenticated to gain access.
“It’s unclear why Citrix is disputing the unauthenticated nature of this vulnerability and their exploitation paths,” Harris told Cybersecurity Dive Wednesday. A spokesperson for Cloud Software Group, when asked about the authentication issue on Tuesday, said that based on analysis by the company’s security team, an attacker must be authenticated to gain access.