Description of Problem
A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.
This vulnerability has the following identifier:
CVE ID | Description | Vulnerability Type | Pre-conditions |
CVE-2021-22928 | Local privilege escalation on a Windows VDA | CWE-284: Improper Access Control | Authenticated access to a VDA with Citrix Profile Management or Citrix Profile Management WMI Plugin installed |
The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops and XenApp / XenDesktop:
- Citrix Virtual Apps and Desktops 2106 and earlier Current Release (CR) versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU3 and earlier versions of 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR CU7 and earlier versions of 7.15 LTSR
Citrix Virtual Apps and Desktops 2106 is only affected when Citrix Profile Management is installed on a Windows VDA as Citrix Profile Management WMI Plugin is not affected in this version.
Please note that Citrix XenApp / XenDesktop 7.6 LTSR has now reached End of Life and is no longer supported except through Citrix Extended Support Program.