Citrix Secure Access client for Windows Security Bulletin for CVE-2023-24491

A vulnerability has been discovered in the Citrix Secure Access client for Windows.

The following supported versions are affected by the vulnerability:

• Versions before 23.5.1.3

The issue has the following identifier:

This issue has been addressed in the following versions of the Citrix Secure Access client for Windows:

• 23.5.1.3 and later releases

Citrix recommends that customers who are affected by the above vulnerability upgrade the Citrix Secure Access client for Windows installed on their endpoints by taking the following actions as soon as possible:  

1. If Citrix Secure Access client for Windows is distributed via the SSL VPN upgrade control feature of Citrix ADC or Citrix Gateway: 

Check the versions of the Citrix Secure Access client for Windows that are being distributed by each Citrix ADC or Citrix Gateway instance. This can be done using either GUI (instructions at: https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html) or by viewing the file located at /var/netscaler/gui/vpn/pluginlist.xml. If it is a vulnerable version, customers must:

• Replace the vulnerable client on the Citrix ADC or Citrix Gateway by following the instructions at: https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html.

Information about the upgrade control feature is detailed at: https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/how-users-connect-with-gateway-plugin.html#control-upgrade-of-citrix-gateway-plug-ins 

2. If the Citrix Secure Access client is distributed/upgraded directly onto users' devices:   

Customers must install the above-mentioned fixed client on their users' devices by downloading them from https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html