Hackers can take command of systems using vulnerabilities in Citrix Session Recording software, according to a recent warning.
In a recent development, researchers at watchTowr have disclosed two significant security flaws in Citrix Session Recording, identified as CVE-2024-8068 and CVE-2024-8069. These vulnerabilities, if exploited, could potentially allow an attacker to take control of a system and execute remote code.
The Cybersecurity and Infrastructure Security Agency (CISA) and Cloud Software Group, the parent company of Citrix, have both encouraged users to review the security bulletin and apply necessary upgrades as soon as possible. However, there is a dispute over whether an attacker must be authenticated to exploit these vulnerabilities.
CVE-2024-8068 is associated with a CVSS score of 5.1 and involves privilege escalation to NetworkService Account access. On the other hand, CVE-2024-8069 allows limited remote code execution with the privilege of a NetworkService account access.
The flaws are due to Citrix's use of an insecure .NET function (BinaryFormatter) provided by Microsoft, which is known to be insecure and cannot be made secure. This function is used in the handling of user data, which is received by Citrix via an MSMQ queue and can be accessed over the internet.
Microsoft has warned that attackers leveraging deserialization vulnerabilities can cause denial of service, information disclosure, or remote code execution inside the targeted application. Shadowserver has reported threat activity based on the proof of concept for these vulnerabilities.
Researchers urge users to upgrade to a safer version of Citrix Session Recording right away. watchTowr and Citrix issued a security bulletin and a blog post, respectively, on Tuesday, which was a mutually agreed upon disclosure date. However, a spokesperson for Cloud Software Group stated that an attacker must be authenticated to gain access, according to their security team's analysis.
Harris, a researcher, has stated that it is unclear why Citrix is disputing the unauthenticated nature of this vulnerability and their exploitation paths. A previous report from Ionix mentioned that a Citrix vulnerability (which could be related but not explicitly confirmed as these specific CVEs) was claimed to lead to unauthenticated remote code execution.
In light of these findings, it is crucial for users to prioritise the upgrade of their Citrix Session Recording software to ensure the security of their systems and data.
- The vulnerabilities in Citrix Session Recording, specifically CVE-2024-8068 and CVE-2024-8069, pose a significant risk to privacy, as they could potentially allow unauthorized access and remote code execution, challenging the current cybersecurity measures in place.
- The ongoing debate over whether an attacker must be authenticated to exploit these vulnerabilities highlights the need for enhanced cybersecurity technology and practices, particularly in the handling of user data, to mitigate potential threats and maintain data privacy.
