Citrix earlier this week has released security fixes for multiple vulnerabilities in Virtual Apps and Desktops, and Workspace apps for Windows and Linux.
The first vulnerability tracked as CVE-2023-24483, resides in the Virtual Apps and Desktops as a privilege escalation issue that allows an attacker with access to a Windows VDA as a standard Windows user to elevate privileges to System.
The security defect impacts all Citrix Virtual Apps and Desktops versions before 2212, as well as long term service release (LTSR) versions 2203 before CU2 and 1912 before CU6.
Citrix addressed two other flaws in the Workspace app for Windows, which could be chained to elevate privileges and perform actions as a System user.
- First One – CVE-2023-24484 – allow an attacker to write log files to a directory they do not have permission to write to,
- Second One – CVE-2023-24485 – allows them to escalate privileges.
To exploit these vulnerabilities, an attacker needs access to the system running a vulnerable version of the Workspace app. For the second bug, access is required at the time an administrator or System process installs or uninstalls the Workspace app.
These vulnerabilities impact Workspace App versions before 2212, 2203 LTSR before CU2, and 1912 LTSR before CU7 Hotfix 2 (19.12.7002).
Another vulnerability, tracked as CVE-2023-24486, persisted in Workspace app for Linux could allow an attacker to take over another user’s session and affects all versions of the Workspace app for Linux before 2302.
Citrix recommends that all customers apply the available patches as soon as possible. The company makes no mention of any of these vulnerabilities being exploited in attacks.
For more information, access the official advisory