Exploitation attempts have been seen for two recently patched Citrix Session Recording vulnerabilities.
The vulnerabilities, tracked as CVE-2024-8068 and CVE-2024-8069, were discovered by researchers at cybersecurity firm WatchTowr, which made public technical details and a proof-of-concept (PoC) exploit on November 12.
WatchTowr described the vulnerabilities as affecting the Citrix Virtual Apps and Desktops virtualization solution, and warned that they can allow unauthenticated remote code execution.
When it initially disclosed the vulnerabilities, WatchTowr said it had not been aware of CVE identifiers and did not know which versions of the Citrix product included patches for the flaws, leading many to believe that they had yet to be fixed. The company later updated its blog post with the CVEs and a link to Citrix’s advisory.
Citrix had in fact released an advisory on the same day WatchTowr made its findings public. The company’s advisory initially referenced Citrix Virtual Apps and Desktops, but it was later updated to clarify that the issues impact the Session Recording component. Patches were made available for both security holes and users have been advised to update as soon as possible.
Citrix has described the vulnerabilities as having medium severity: CVE-2024-8068 is a privilege escalation issue, and CVE-2024-8069 a “limited remote code execution” flaw — both requiring authentication.
The company told SecurityWeek that it assigned a ‘medium’ severity rating for several reasons.
“The exploit is limited to Citrix Session Recording server, which is an optional component of a Citrix Virtual Apps and Desktop Deployment,” Citrix explained, adding that “Session Recording Server is typically deployed on a standalone Windows Server” and “It is security best practice that Session Recording Server is installed on a trusted machine inside the corporate network and cannot be reached from the internet.”
“For the vulnerability reported, the attacker exploits Microsoft MSMQ technology to send malicious objects to the Session Recording server. This requires the attacker to be on a trusted machine which is the same domain as the Session Recording server. Citrix recommends customers to enable HTTPS integration with Active Directory as the authentication method for communication with MSMQ,” Citrix said.
“If exploits were successfully executed on the Session Recording server, they would run in the less privileged Network Service context, not in the System context,” it noted.
However, there are multiple reports of exploitation attempts targeting CVE-2024-8068 and CVE-2024-8069.
The Shadowserver Foundation started seeing attempts to exploit the vulnerabilities with the PoC released by WatchTowr just hours after disclosure.
Security researcher Kevin Beaumont pointed out that some organizations do expose these systems to the internet, with a Shodan search showing hundreds of such instances. Beaumont said that — contrary to Citrix’s claims — he was able to exploit the vulnerabilities over the internet without authentication.
The researcher saw scanning activity on November 12, but no signs of exploitation.
The most recent exploitation attempts were seen by the SANS Technology Institute, whose honeypots have seen attempts to execute a Curl command coming from an IP address in South Africa.
While some of the exploitation attempts may be conducted by members of the cybersecurity community looking for potentially vulnerable servers, at least some attacks may be conducted by malicious actors, either just looking for vulnerable systems or actually trying to penetrate organizations. There do not appear to be any confirmed reports of successful in-the-wild exploitation.
Citrix has not addressed reports about exploitation attempts, but urged customers to install the available update to prevent exploits, and said it would publish more information to address concerns.
Two Citrix product vulnerabilities were among the 15 most commonly exploited vulnerabilities in 2023.
Related: Citrix, Fortinet Patch High-Severity Vulnerabilities
Related: Citrix Patches Critical NetScaler Console Vulnerability