Vulmon
Description of Problem
Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in:
- An authenticated user of a multi-session Windows VDA, who has been granted permission to write to c:\ root directory, being able to escalate their privilege level on that VDA to SYSTEM
- An authenticated user of a Windows VDA with Citrix App-V service installed being able to escalate their privilege level on that VDA to SYSTEM
- An authenticated SMB user, who has connected to a Windows VDA with Citrix App-V Service installed and Windows file sharing (SMB) enabled, being able to remotely compromise that VDA
- A user of a Windows host running Citrix Universal Print Server (UPS), who has been granted permission to write to c:\ root directory, being able to escalate their privilege level on that host to SYSTEM.
These vulnerabilities have the following identifiers:
| CVE ID | Description | Vulnerability Type | Pre-conditions |
| CVE-2020-8269 | An authenticated user on a multi-session VDA can perform arbitrary command execution as SYSTEM | CWE-269: Improper Privilege Management | The attacker must be an authenticated user who has been granted write access to the C:\ root directory |
| CVE-2020-8270 | An unprivileged Windows user on a VDA with Citrix App-V Service installed OR an SMB user who has connected to a VDA with Citrix App-V Service installed can perform arbitrary command execution as SYSTEM | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Citrix App-V Service must be installed on the VDA. The attacker must either be an authenticated user on the Windows VDA or be authenticated to Windows SMB service running on the VDA |
| CVE-2020-8283 | An authenticated user on a Windows host that is running Universal Print Server (UPS) can perform arbitrary command execution as SYSTEM | CWE-269: Improper Privilege Management | The attacker must be an authenticated user who has been granted write access to the C:\ root directory |
The vulnerabilities affect the following supported versions of Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2006 and earlier versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 and earlier versions of 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 and earlier versions of 7.15 LTSR
- Citrix XenApp / XenDesktop 7.6 LTSR CU8 and earlier versions of 7.6 LTSR
Please note that Citrix XenApp / XenDesktop 7.6 LTSR is not affected by CVE-2020-8270.
Mitigating Factors
If Citrix App-V Service is not installed and low-privilege users have not been granted the permission to write files to C:\ root directory, the vulnerabilities will not be exploitable. Citrix recommends that users are only granted the permissions they require.
Where Citrix App-V Service is installed, a remote compromise is only possible when Windows file sharing (SMB) is enabled on the Windows VDA. If authentication is required for SMB then an attacker must first authenticate to the SMB service in order to remotely compromise the VDA.
What Customers Should Do
The issues have been addressed in the following versions of Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2009 or later
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 hotfixes CTX285870, CTX285871, CTX285872 and CTX286120, and later cumulative updates
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 hotfixes CTX285341, CTX285342 and CTX285344, and later cumulative updates
- Citrix XenApp / XenDesktop 7.6 LTSR CU9 and later cumulative updates
Citrix strongly recommends that customers upgrade to a fixed version as soon as possible.
The latest versions of Citrix Virtual Apps and Desktops are available from the following location:
https://www.citrix.com/en-gb/downloads/citrix-virtual-apps-and-desktops/
The following hotfixes have been released to address the issues in Citrix Virtual Apps and Desktops 1912 LTSR CU1 and Citrix XenApp / XenDesktop 7.15 LTSR CU6. Customers should ensure they have installed the most recent cumulative update and then install any applicable hotfixes:
Citrix Virtual Apps and Desktops 1912 CU1
CTX285870 for Multi-Session VDAs (64-bit) - https://support.citrix.com/article/CTX285870
CTX285871 for Citrix App-V Service (64-bit) - https://support.citrix.com/article/CTX285871
CTX285872 for Citrix App-V Service (32-bit) - https://support.citrix.com/article/CTX285872
CTX286120 for Citrix Universal Print Server - https://support.citrix.com/article/CTX286120
Update: Please note that 1912 LTSR CU2 is now available and includes updates to address these issues. Customers are recommended to upgrade to CU2 instead of applying these hotfixes. Customers who have already applied the hotfixes will not be vulnerable to these vulnerabilities.
Citrix XenApp / XenDesktop 7.15 CU6
CTX291361 for Citrix App-V Service (64-bit) - https://support.citrix.com/article/CTX291361
CTX291360 for Citrix App-V Service (32-bit) - https://support.citrix.com/article/CTX291360
CTX285344 for Multi-Session VDAs (64-bit) - https://support.citrix.com/article/CTX285344
A previous version of this advisory linked to hotfixes for XenApp / XenDesktop 7.15 Citrix App-V Service which have been updated by the versions above due to functional issues that do not affect the security of the hotfix.
Acknowledgements
Citrix would like to thank Hannay Al-Mohanna of F-Secure Consulting and Michael Garrison of State Farm Information Security for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – https://www.citrix.com/about/trust-center/vulnerability-process.html
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.
Changelog
| Date | Change |
| 2020-11-10 | Initial Publication |
| 2020-11-25 | Clarification on when a version is impacted and added that 1912 LTSR CU2 is now available |
| 2020-12-02 | Clarification that privilege escalation is possible for affected VDAs with Citrix App-V installed |
| 2021-01-27 | Updated hotfixes released for XenApp/XenDesktop 7.15 App-V Service |