Case
Citrix announced VAD security vulnerabilities. On November 10th 2020 the following vulnerabilities were announced.
CVE ID | Description | Vulnerability Type | Pre-conditions |
CVE-2020-8269 | An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM | CWE-269: Improper Privilege Management | The attacker must be an authenticated user on the Windows VDA with write access to the C:\ directory |
CVE-2020-8270 | An unprivileged Windows user on the VDA or a SMB user can perform arbitrary command execution as SYSTEM | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | The attacker must be an authenticated user on the Windows VDA or be authenticated to Windows SMB service running on the VDA |
The vulnerabilities affect the following supported versions of Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2006 and earlier versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 and earlier versions of 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 and earlier versions of 7.15 LTSR
- Citrix XenApp / XenDesktop 7.6 LTSR CU8 and earlier versions of 7.6 LTSR
Please note that Citrix XenApp / XenDesktop 7.6 LTSR is not affected by CVE-2020-8270.
Mitigation actions
The issues have been addressed in the following versions of Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2009 or later
- Citrix Virtual Apps and Desktops 1912 LTSR CU1 hotfixes CTX285870, CTX285871, CTX285872 and CTX286120, and later cumulative updates
- Citrix XenApp / XenDesktop 7.15 LTSR CU6 hotfixes CTX285341, CTX285342 and CTX285344, and later cumulative updates
- Citrix XenApp / XenDesktop 7.6 LTSR CU9 and later cumulative updates
Citrix strongly recommends that customers upgrade to a fixed version as soon as possible.