Researchers have uncovered critical security vulnerabilities in Citrix Digital Apps and Desktop, which could potentially be leveraged by attackers to execute arbitrary code remotely without authentication.

The issue stems from the vulnerability within the component allowing system administrators to capture user activity, transmit keyboard and mouse inputs, and broadcast the desktop video feed for purposes including auditing, compliance, and troubleshooting.

A newly discovered vulnerability takes advantage of a careless exposure, combined with poorly configured permissions, allowing attackers to exploit the BinaryFormatter and execute code remotely without authentication, said safety researcher Sina Kheirkhah.

The following are listed under –

(Note: The original text appears to be incomplete or unclear. I’ve attempted to improve the sentence by adding a subject and verb, while preserving its original ambiguity.)

• The vulnerability allows an attacker with low privileges on the system to gain elevated access by exploiting a weakness in the NetworkService account’s entry, thereby escalating their privileges from a low level to that of the NetworkService account, which has more significant rights and capabilities. (CVSS rating: 5.1)
• The vulnerability allows attackers to execute arbitrary code remotely with the privileges of a NetworkService account, which has limited access rights compared to other accounts on the system.

Although Citrix emphasized that successful exploitation necessitates an attacker to be a authenticated user within the same Windows Active Directory domain as the session recording server, and on the same internal network as the session recording server. Defects have been effectively remedied across a range of modifications.

• Citrix Digital Apps and Desktops prior to Hotfix 24.5.200.8
• Here is the rewritten text in a different style:

  Citrix Digital Apps and Desktops 1912 Long Term Service Release (LTSR), with a caveat: only consider versions prior to Cumulative Update 9, specifically referencing build number 19.12.9100.6.

• Citrix Digital Apps and Desktops 2203 Long-Term Service Release (LTSR), prior to Cumulative Update 5 (CU5) hotfix 22.03.5100.11.

• Citrix Digital Apps and Desktops (2402 LTSR), prior to CU1 hotfix 24.02.1200.16.

It is crucial to note that Microsoft advises developers to discontinue using BinaryFormatter for deserialization due to its vulnerability when processing untrusted input, posing a significant security risk. An implementation of BinaryFormatter has been deprecated in .NET 9 since August 2024.

“Prior to the widespread recognition of deserialization vulnerability risks, Microsoft’s BinaryFormatter was used,” according to the company’s documentation. Consequently, the code fails to align with contemporary best practices for software development. “Furthermore, BinaryFormatter.Deserialize may be vulnerable to a range of attacks, including data breaches and remote code injection.”

At the core of the problem lies the Session Recording Storage Supervisor, a Windows service responsible for managing the recorded session files generated by each computer with the feature enabled.

While the Storage Supervisor retrieves session recordings in message byte format via the Microsoft Message Queueing (MSMQ) service, an evaluation reveals that data is serialized for transfer and the queue event possesses extraordinary permissions.

To compound the issue, information obtained from the queue is deserialized using BinaryFormatter, effectively allowing an attacker to exploit the insecure permissions established during initialization to transmit maliciously crafted data across the internet.

Experts are well aware that a common Microsoft Message Queuing (MSMQ) scenario involves misconfigured permissions, which can be exploited using the infamous BinaryFormatter class during deserialization, as described by Kheirkhah in his demonstration of the vulnerability. “The pièce de résistance is that accessibility is not limited to domestic connections via MSMQ’s TCP port; instead, the ‘cherry on high’ can be reached from any host, courtesy of its HTTP interface.”

The vulnerability discovery allows for an unparalleled previously unauthenticated remote code execution capability.