A remote code execution vulnerability has been identified in the Citrix Workspace & Citrix Receiver client for Windows. Citrix Workspace allows centralized app and file management. By exploiting this vulnerability, the attacker could gain remote access to the target’s storage allowing data exfiltration and/or remote code execution.
At this time, the Masergy Threat Intelligence Team is not aware of any in-the-wild exploitation or public proof-of-concept exploits although the NCC Group has demonstrated a proof-of-concept exploit. We will continue to monitor the situation as it develops. We assess that it is probable that actors will pursue the development of exploits for this vulnerability.
CVE-2019-11634 takes advantage of a Citrix client on Windows that has been configured to run in unauthenticated / anonymous mode by launching a Citrix Workspace session via a browser. Normal behavior would have a prompt requesting permission to access the resources on the host, however when launching a session via a browser a prompt may or may not be displayed depending on the browser used. This allows an attacker to obtain read/write access to the resources of the host which could enable code execution on their device. When exploiting via Microsoft Edge or Internet Explorer, zero interaction is required. When exploiting via Google Chrome or Mozilla Firefox, user interaction may be required depending on the configuration.
We recommend the following actions be taken:
- Upgrade the Citrix Workspace app for Windows to version 1904 or later, or Citrix Receiver for Windows to LTSR 4.9 CU6 version 4.9.6001 after appropriate testing.
- Citrix noted that Single Sign-on could stop working after applying the security update for browsers other than Internet Explorer. If this is the case, Citrix provided documentation to ensure proper configuration.
Citrix provided links to the updated software in their advisory https://support.citrix.com/article/CTX251986
- Remote Code Execution in Citrix Workspace / Receiver
- Citrix Workspace app for Windows prior to version 1904
- Citrix Receiver for Windows to LTSR 4.9 CU6 version earlier than 4.9.6001