Citrix has released patch to address a critical vulnerability, tracked as CVE-2023-24492 with a CVSS score of 9.6, affecting the Secure Access client for Ubuntu that could be exploited to achieve remote code execution.
An attacker can trigger the vulnerability by tricking the victim into opening a specially crafted link and accepting further prompts.
The vulnerability affects versions of Citrix Secure Access client for Ubuntu before 23.5.2. The issue has been addressed in 23.5.2 and later releases.
Citrix also releases patches for a high-severity elevation of privilege vulnerability in the Secure Access client for Windows.
Tracked as CVE-2023-24491 with a CVSS score of 7.8, the issue allows an attacker with access to an endpoint with Standard User Account and a vulnerable client to elevate privileges to that of NT Authority\System.
The vulnerability has been resolved with the release of Secure Access client for Windows version 126.96.36.199.
The vulnerability was reported by Rilke Petrosky of F2TC Cyber Security.
The advisory did not reveal if the vulnerability has been actively exploited by threat actors in the wild.
Citrix customers are advised to update their installations as soon as possible by replacing the vulnerable client on the Citrix ADC or Gateway if it is distributed via the SSL VPN upgrade control feature of ADC or Gateway