Published: 14 November 2024
Prepared by: Adam Skupien, Vulnerability Security Analyst
The purpose of this bulletin is to address two vulnerabilities in the Citrix Virtual App and Desktops Session Recording feature.
The CVEs associated with the vulnerabilities are CVE-2024-8068 and CVE-2024-8069 which are currently classified as Medium severity by the vendor; however, this medium rating is disputed by the original author due to the Unauthenticated Remote Code Execution capabilities of the exploit on affected devices, and as such this bulletin is being released urging prompt action to apply hotfixes to the affected products.
On 12 November 2024, the watchTowr security research team released an article detailing the discovery and exploitation of a vulnerability in the Citrix Virtual App and Desktops Session Recording feature, developed by Citrix, in which they demonstrated a Proof of Concept (POC) of the exploit, following responsible disclosure processes.
The US Cybersecurity and Infrastructure Security Agency (CISA) also released a bulletin targeting this vulnerability, encouraging administrators to apply the suggested updates.
On 12 November 2024, Citrix published an article disclosing these vulnerabilities. The vulnerabilities are being tracked as CVE-2024-8068 and CVE-2024-8069, and the vendor has provided download links for hotfixes for the affected versions.
The following supported versions of Citrix Virtual Apps and Desktops are affected:
Current Release:
Long Term Service Release (LTSR):
Triskele Labs recommends following the vendor guidance and applying the hotfixes provided by Citrix as a priority. These hotfixes can be downloaded at the links below:
Additionally, Triskele Labs recommends auditing your environment to ensure that no Microsoft Message Queue services over HTTP are being exposed to the internet.
Please note: Citrix has advised that rollbacks of these updates are not supported as they replace key components of the installation. Attempts to revert to a previous version may result in the loss of configured settings.
This bulletin will be updated as new information becomes available.
All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored for IOCs and Lateral Movement, with heightened vigilance around Citrix-related alerts. Triskele Labs SOC customers with our Vulnerability Scanning service are being assessed currently.