CVE-2024-8068 and CVE-2024-8069: Citrix Session Recording Vulnerability
IONIX Tracks CVE-2024-8068 and CVE-2024-8069: Citrix Session Recording Vulnerability (claimed to be RCE): This post is based on ongoing security research – and will continue to be updated as we get additional information…
Two Citrix vulnerabilities (CVE-2024-8068 and CVE-2024-8069) can potentially lead to unauthenticated remote code execution.
Note: according to the vendor, privilege escalation to NetworkService Account access in Citrix Session Recording and limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording is possible when an attacker is an authenticated user in the same intranet.
This means that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server domain and on the same intranet as the session recording server. They have addressed the defects in a number of versions (see below).
The IONIX research team created an exploit simulation module based on available exploits to the issue.
Based on scanning of thousands of Citrix instances in the attack surface of IONIX customers, IONIX research team believes that most of the Citrix instances cannot be attacked remotely (without authentication) with the currently available exploits.
What is Citrix Recording Manager?
According to this report Citrix’s Session Recording Manager records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.
“Citrix advertises the feature as being really useful for monitoring, compliance and troubleshooting. It can even be set up so that certain actions (like identifying sensitive data) will trigger recording, which helps meet regulatory needs and flag suspicious activities,” the watchTowr researchers noted in the report.
The following supported versions of Citrix Session Recording are affected by the vulnerability:
- Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8 Current Release (CR)
Long Term Service Release (LTSR)
- Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6
- Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11
- Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16
What should I do about CVE-2024-8068 and CVE-2024-8069?
IONIX customers will see updated information in the threat center of the IONIX portal. Citrix claims CVE-2024-8068 and CVE-2024-8069 can be exploited only under very specific circumstances, and we have not yet found exploited Citrix instances in the wild.
References
Citrix (vendor) advisory, https://support.citrix.com/s/article/CTX691941-citrix-session-recording-security-bulletin-for-cve20248068-and-cve20248069?language=en_US
Citrix Recording Manager Zero-Day Allows Unauthenticated RCE, https://www.darkreading.com/cloud-security/citrix-recording-manager-zero-day-bug-unauthenticated-rce
New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration, https://thehackernews.com/2024/11/new-flaws-in-citrix-virtual-apps-enable.html