CVE-2024-8068 and CVE-2024-8069 - Citrix Session Recording RCE Vulnerability

Published: 14 November 2024

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

The purpose of this bulletin is to address two vulnerabilities in the Citrix Virtual App and Desktops Session Recording feature.

The CVEs associated with the vulnerabilities are CVE-2024-8068 and CVE-2024-8069 which are currently classified as Medium severity by the vendor; however, this medium rating is disputed by the original author due to the Unauthenticated Remote Code Execution capabilities of the exploit on affected devices, and as such this bulletin is being released urging prompt action to apply hotfixes to the affected products. 

Details

On 12 November 2024, the watchTowr security research team released an article detailing the discovery and exploitation of a vulnerability in the Citrix Virtual App and Desktops Session Recording feature, developed by Citrix, in which they demonstrated a Proof of Concept (POC) of the exploit, following responsible disclosure processes. 

The US Cybersecurity and Infrastructure Security Agency (CISA) also released a bulletin targeting this vulnerability, encouraging administrators to apply the suggested updates.

On 12 November 2024, Citrix published an article disclosing these vulnerabilities. The vulnerabilities are being  tracked as CVE-2024-8068 and CVE-2024-8069, and the vendor has provided download links for hotfixes for the affected versions. 

The following supported versions of Citrix Virtual Apps and Desktops are affected: 

Current Release: 

• Before 2407 hotfix 24.5.200.8 

Long Term Service Release (LTSR): 

• 1912 LTSR before CU9 hotfix 19.12.9100.6  

• 2203 LTSR before CU5 hotfix 22.03.5100.11 

• 2402 LTSR before CU1 hotfix 24.02.1200.16 

Impact

Triskele Labs recommends following the vendor guidance and applying the hotfixes provided by Citrix as a priority. These hotfixes can be downloaded at the links below:

• Citrix Virtual Apps and Desktops 2407 hotfix 24.5.200.8 -
  https://support.citrix.com/article/CTX69204  

• Citrix Virtual Apps and Desktops 1912 LTSR CU9 hotfix 19.12.9100.6 - https://support.citrix.com/article/CTX692044  

• Citrix Virtual Apps and Desktops 2203 LTSR CU5 hotfix 22.03.5100.11 - https://support.citrix.com/article/CTX692045  

• Citrix Virtual Apps and Desktops 2402 LTSR CU1 hotfix 24.02.1200.16 - https://support.citrix.com/article/CTX692046  

Additionally, Triskele Labs recommends auditing your environment to ensure that no Microsoft Message Queue services over HTTP are being exposed to the internet. 

Please note: Citrix has advised that rollbacks of these updates are not supported as they replace key components of the installation. Attempts to revert to a previous version may result in the loss of configured settings. 

This bulletin will be updated as new information becomes available. 

Detection Capabiliites

All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored for IOCs and Lateral Movement, with heightened vigilance around Citrix-related alerts. Triskele Labs SOC customers with our Vulnerability Scanning service are being assessed currently. 

References

• https://www.cisa.gov/news-events/alerts/2024/11/12/citrix-releases-security-updates-netscaler-and-citrix-session-recording
• https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown
  
• https://support.citrix.com/s/article/CTX691941-citrix-session-recording-security-bulletin-for-cve20248068-and-cve20248069?language=en_US 
• GitHub - watchtowrlabs/Citrix-Virtual-Apps-XEN-Exploit: Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCE