9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
43.9%
Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in:
These vulnerabilities have the following identifiers:
CVE ID | Description | Vulnerability Type | Pre-conditions |
---|---|---|---|
CVE-2020-8269 | An authenticated user on a multi-session VDA can perform arbitrary command execution as SYSTEM | CWE-269: Improper Privilege Management | The attacker must be an authenticated user who has been granted write access to the C:\ root directory |
CVE-2020-8270 | An unprivileged Windows user on a VDA with Citrix App-V Service installed OR an SMB user who has connected to a VDA with Citrix App-V Service installed can perform arbitrary command execution as SYSTEM | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | Citrix App-V Service must be installed on the VDA. |
The attacker must either be an authenticated user on the Windows VDA or be authenticated to Windows SMB service running on the VDA
CVE-2020-8283| An authenticated user on a Windows host that is running Universal Print Server (UPS) can perform arbitrary command execution as SYSTEM | CWE-269: Improper Privilege Management| The attacker must be an authenticated user who has been granted write access to the C:\ root directory
The vulnerabilities affect the following supported versions of Citrix Virtual Apps and Desktops:
Please note that Citrix XenApp / XenDesktop 7.6 LTSR is not affected by CVE-2020-8270.
If Citrix App-V Service is not installed and low-privilege users have not been granted the permission to write files to C:\ root directory, the vulnerabilities will not be exploitable. Citrix recommends that users are only granted the permissions they require.
Where Citrix App-V Service is installed, a remote compromise is only possible when Windows file sharing (SMB) is enabled on the Windows VDA. If authentication is required for SMB then an attacker must first authenticate to the SMB service in order to remotely compromise the VDA.
The issues have been addressed in the following versions of Citrix Virtual Apps and Desktops:
Citrix strongly recommends that customers upgrade to a fixed version as soon as possible.
The latest versions of Citrix Virtual Apps and Desktops are available from the following location:
<https://www.citrix.com/en-gb/downloads/citrix-virtual-apps-and-desktops/>
The following hotfixes have been released to address the issues in Citrix Virtual Apps and Desktops 1912 LTSR CU1 and Citrix XenApp / XenDesktop 7.15 LTSR CU6. Customers should ensure they have installed the most recent cumulative update and then install any applicable hotfixes:
Citrix Virtual Apps and Desktops 1912 CU1
CTX285870 for Multi-Session VDAs (64-bit) - <https://support.citrix.com/article/CTX285870>
CTX285871 for Citrix App-V Service (64-bit) - <https://support.citrix.com/article/CTX285871>
CTX285872 for Citrix App-V Service (32-bit) - <https://support.citrix.com/article/CTX285872>
CTX286120 for Citrix Universal Print Server - <https://support.citrix.com/article/CTX286120>
Update: Please note that 1912 LTSR CU2 is now available and includes updates to address these issues. Customers are recommended to upgrade to CU2 instead of applying these hotfixes. Customers who have already applied the hotfixes will not be vulnerable to these vulnerabilities.
Citrix XenApp / XenDesktop 7.15 CU6
CTX291361 for Citrix App-V Service (64-bit) - <https://support.citrix.com/article/CTX291361>
CTX291360 for Citrix App-V Service (32-bit) - <https://support.citrix.com/article/CTX291360>
CTX285344 for Multi-Session VDAs (64-bit) - <https://support.citrix.com/article/CTX285344>
A previous version of this advisory linked to hotfixes for XenApp / XenDesktop 7.15 Citrix App-V Service which have been updated by the versions above due to functional issues that do not affect the security of the hotfix.
Citrix would like to thank Hannay Al-Mohanna of F-Secure Consulting and Michael Garrison of State Farm Information Security for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _<http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _<https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – <https://www.citrix.com/about/trust-center/vulnerability-process.html>
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.
Date | Change |
---|---|
2020-11-10 | Initial Publication |
2020-11-25 | Clarification on when a version is impacted and added that 1912 LTSR CU2 is now available |
2020-12-02 | Clarification that privilege escalation is possible for affected VDAs with Citrix App-V installed |
2021-01-27 | Updated hotfixes released for XenApp/XenDesktop 7.15 App-V Service |
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
43.9%