Attacks on Citrix security vulnerability observed

The vulnerabilities in Citrix Session Recording, for which the manufacturer provided software updates last week, are being attacked in the wild. IT managers should therefore install the available updates as quickly as possible.

The Internet Storm Center of the SANS Institute has now observed attempts to attack the vulnerability on its honeypots. Johannes Ullrich writes that he discovered exploit attempts on Monday of this week.

Virtual Apps and Desktops: Secure remote access

Ullrich explains that Citrix Virtual Apps and Desktops is designed to provide secure remote access to desktop applications. It is often used for remote work; he has also seen setups in call centers that use it to isolate the workstation from the desktop. However, these remote desktops all run on the same server. The IT security researcher goes on to explain that an extension of rights not only affects the specific desktop, but also the server and all associated sessions.

Citrix is adding a function for recording and saving sessions, which admins can view if required. This feature uses a .Net function that has deserialization vulnerabilities. The gap was investigated by the IT security experts at Watchtowr and a proof-of-concept exploit was published on Github.

Attackers have now apparently picked it up and used it to attack vulnerable instances. According to Ullrich, the exploit does not require prior authentication. However, the URL used in the exploit to download a script returned an HTTP 404 error (not found), making further analysis of the attack impossible.

To avoid the risk of falling victim to such attacks in the wild, the updates should be applied immediately.

Citrix has closed several vulnerabilities in different products in the past week. In addition to Netscaler ADC and Netscaler Gateway, there were software patches for Virtual Apps and Desktops. In the meantime, Citrix has changed the security note and specified that Citrix Session Recording is affected.

(dmk)