Known Citrix Workspace Bug Open to New Attack Vector

A Citrix Workspace vulnerability that was fixed in July has been found to have a secondary attack vector, which would allow cybercriminals to elevate privileges and remotely execute arbitrary commands under the SYSTEM account.

The bug (CVE-2020-8207), exists in the automatic update service of the Citrix Workspace app for Windows. It could allow local privilege-escalation as well as remote compromise of a computer running the app when Windows file sharing (SMB) is enabled, according to the Citrix advisory.

The bug, though mostly fixed over the summer, was recently found to still allow attackers to abuse Citrix-signed MSI installers, according to Pen Test Partners (MSI is the filename extension of Windows Installer packages). This turns the bug into a remote command-line injection vulnerability.

The update service originally relied on a faulty file hash within a JSON payload to determine if an update should proceed or not – allowing attackers to download their own code by exploiting the weak hash. To fix the problem, the latest update catalogs are now directly downloaded from the Citrix update servers, and the service “cross-references the hashes with the file that is requested for install from the UpdateFilePath attribute,” wrote researchers at Pen Test Partners, in a Monday posting.

“If the update file is signed, valid and the hash of the update file matches one of the files within the manifest, the update file is executed to perform the upgrade,” they explained.

However, the patch didn’t prevent remote connectivity to limit the attack surface.

“The catalog includes executables and MSI files for installation,” according to the firm. “MSI files on the other hand cannot be executed in the same way as executable files, therefore the update service must handle these differently.”

In looking at the installer-launch code, the researchers found that the application checks the extension of the file requested for update, and if it ends with MSI, it is assumed to be a Windows Installer file. Since the MSI file is checked for a valid signature and is cross-referenced with the current catalog, attackers can’t directly install arbitrary MSI files.

Even though the MSI files are signed and hashed to prevent modification, one of the features supported by the Windows Installer is MSI Transforms (MST).

“As the name suggests, MSI Transforms support altering or transforming the MSI database in some way prior to installation,” according to Pen Test Partners. “Domain administrators commonly use this feature to push out MSI files within Active Directory environments that do not always work in an unattended way when executed on their own. For example, an MST might be created that will inject a product activation code prior to installing.”

To apply an MST, users would specify the path to the transform file on the command line, which merges the main MSI file with changes that are present within the MST file during the installation process.

Therein lies the bug: “Since we can control the arguments passed to msiexec, we can include the path to a malicious Transform but using an official, signed Citrix MSI that is present within the catalog file,” researchers said.

Malicious Transforms can be generated with an existing tool called Microsoft Orca, they added, or with a custom tool. Then, to exploit the vulnerability, attackers would place the original MSI installer and the MST onto a network share ready for the victim machine.

“Both the local and remote privilege-escalation methods can only be exploited while an instance of CitrixReceiverUpdate.exe is running on the victim host as before,” the researchers concluded. “I think the remote vector is easier to exploit this time around since you can place both MSI and MST files on a network share under the attacker’s control.”

Citrix Workspace for Windows users should update their apps to the latest version, containing a revised patch.