Citrix announced VAD security vulnerabilities

Case

Citrix announced VAD security vulnerabilities. On November 10th 2020 the following vulnerabilities were announced.

CVE IDDescriptionVulnerability TypePre-conditions 
CVE-2020-8269An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEMCWE-269: Improper Privilege ManagementThe attacker must be an authenticated user on the Windows VDA with write access to the C:\ directory
CVE-2020-8270An unprivileged Windows user on the VDA or a SMB user can perform arbitrary command execution as SYSTEMCWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)The attacker must be an authenticated user on the Windows VDA or be authenticated to Windows SMB service running on the VDA

The vulnerabilities affect the following supported versions of Citrix Virtual Apps and Desktops:

  • Citrix Virtual Apps and Desktops 2006 and earlier versions
  • Citrix Virtual Apps and Desktops 1912 LTSR CU1 and earlier versions of 1912 LTSR
  • Citrix XenApp / XenDesktop 7.15 LTSR CU6 and earlier versions of 7.15 LTSR
  • Citrix XenApp / XenDesktop 7.6 LTSR CU8 and earlier versions of 7.6 LTSR

Please note that Citrix XenApp / XenDesktop 7.6 LTSR is not affected by CVE-2020-8270.

Mitigation actions

The issues have been addressed in the following versions of Citrix Virtual Apps and Desktops: 

  • Citrix Virtual Apps and Desktops 2009 or later
  • Citrix Virtual Apps and Desktops 1912 LTSR CU1 hotfixes CTX285870, CTX285871, CTX285872 and CTX286120, and later cumulative updates
  • Citrix XenApp / XenDesktop 7.15 LTSR CU6 hotfixes CTX285341, CTX285342 and CTX285344, and later cumulative updates
  • Citrix XenApp / XenDesktop 7.6 LTSR CU9 and later cumulative updates

Citrix strongly recommends that customers upgrade to a fixed version as soon as possible. 

Source

https://support.citrix.com/article/CTX285059