Despite Citrix releasing patches and urging users to update, the company maintains that the vulnerability is not a “non-exploitable RCE.” Citrix representatives argue that to exploit the vulnerability, an adversary must be an authorized user with access on behalf of NetworkService.
However, Watchtowr disagrees with Citrix’s assessment, stating that the issue is more severe than claimed. The vulnerability exposes the server controlling all user applications and sessions, allowing an attacker to impersonate users, including administrators, and covertly monitor their activities.
The vulnerability was discovered in the Session Recording Manager module, which records user session video streams and key presses/mouse movements for monitoring purposes. Sessions are stored in a database using the Microsoft Message Queuing (MSMQ) service.
Researchers found that the MSMQ initialization process has overly permissive settings, enabling anyone to insert messages. An even graver concern is the use of the insecure Binaryformatter class for data deserialization. The Microsoft documentation explicitly warns against using Binaryformatter due to its security risks.
Exploiting the vulnerability requires a simple HTTP request, even though MSMQ access typically occurs via TCP port 1801. Experts were surprised that Citrix enabled MSMQ support, as it is unnecessary for the product’s functionality.
Following the POC publication, Citrix promptly issued recommendations and updates to address the vulnerability. The patches apply to various versions, including Citrix Virtual Apps and Desktops 2407, 1912 LTSR, 2203 LTS