THE THREAT
Update: eSentire has observed multiple exploitation attempts targeting CVE-2024-8069. In real-world attacks, threat actors successfully achieved RCE and attempted to establish a reverse shell for persistent access. All attempts to establish reverse shells have failed due to existing security appliances.
On November 12th, Citrix disclosed two separate vulnerabilities identified in Citrix Session Recording, which impacted multiple versions of Citrix Virtual Apps and Desktops. According to Citrix, the vulnerabilities, tracked as CVE-2024-8068 (CVSS: 5.1) and CVE-2024-8069 (CVSS: 5.1), allow for privilege escalation and Remote Code Execution (RCE) by previously authenticated threat actors.
The vulnerabilities were discovered and reported to Citrix by WatchTowr. Researchers at WatchTowr have publicly disputed the description and criticality rating of the vulnerabilities. They claim that the vulnerabilities can be exploited by unauthenticated threat actors to execute code on the underlying Windows server hosting the Citrix applications, making them high value for initial access into victim organizations. In response to the public disclosure, WatchTowr released technical details and public Proof-of-Concept (PoC) exploit code.
eSentire has not observed exploitation at this time, but there are public reports of exploitation attempts beginning on November 12th. The eSentire Threat Intelligence team assesses that it is almost certain that available PoC exploit code will be employed by threat actors in the immediate future to exploit these vulnerabilities.
What we’re doing about it
-
eSentire’s Tactical Threat Response (TTR) team has created new detections for both eSentire MDR for Network and Endpoint
-
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices
-
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
-
After performing a business impact review, apply the vendor provided security patches
Additional information
As technical details and PoC exploit code for CVE-2024-8068 and CVE-2024-8069 are publicly available, and there are preliminary reports of exploitation attempts, it is critical that organizations using Citrix Virtual Apps and Desktops apply the relevant security patches immediately. Citrix has not provided alternative mitigations at this time.
The debate surrounding whether these vulnerabilities can be exploited without prior authentication is ongoing. Based on an internal review of these vulnerabilities, the eSentire Threat Intelligence team assesses that threat actors would require internal network access to contact the Windows server hosting Citrix Virtual Apps and Desktops over port 1801, to enable exploitation. If the server hosting the Citrix applications is directly exposed to the Internet, authentication would not be required.
References:
[1] https://support.citrix.com/s/article/CTX691941-citrix-session-recording-security-bulletin-for-cve20248068-and-cve20248069?language=en_US
[2] https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/
[3] https://github.com/watchtowrlabs/Citrix-Virtual-Apps-XEN-Exploit/blob/main/exploit-citrix-xen.py
[4] https://x.com/Shadowserver/status/1856435596085895328
