Citrix released a patch for a number of high-severity vulnerabilities affecting multiple offerings, the company confirmed in a security bulletin earlier this week.
Given the severity of the flaws, the prevalence of the tools in question, and the fact that there are no workarounds and other mitigations, the company said it was pivotal for the affected organizations to apply the fix immediately.
The Us Cybersecurity & Infrastructure Security Agency (CISA) also chimed in, issuing an alert of its own, urging Citrix customers to not stall with the updates, BleepingComputer has found.
There are a total of five vulnerabilities addressed in the patch: CVE-2023-24483 (allows for privilege escalation), CVE-2023-24484 (allows for access to log files otherwise out of reach for regular users), CVE-2023-24485 (allows for privilege escalation), CVE-2023-24486 (allows for session takeover), and CVE-2023-24483 (allows for privilege escalation to NT AUTHORITY\SYSTEM).
This final flaw is the most severe of all, giving potential threat actors a way to execute arbitrary code, obtain important documents, and tweak the target endpoint’s (opens in new tab)system.
The tools affected by these flaws are Citrix Virtual Apps and Desktops, and the Workspace app, namely these versions:
- Citrix Virtual Apps and Desktops 2212 and later versions
- Citrix Virtual Apps and Desktops 2203 LTSR CU2 and later cumulative updates
- Citrix Virtual Apps and Desktops 1912 LTSR CU6 and later cumulative updates
- Citrix Workspace App 2212 and later
- Citrix Workspace App 2203 LTSR CU2 and later cumulative updates
- Citrix Workspace App 1912 LTSR CU7 Hotfix 2 (19.12.7002) and later cumulative updates
- Citrix Workspace app for Linux 2302 and later
“Citrix strongly recommends that customers upgrade to a fixed version as soon as possible,” the company said in its security bulletin.
As there are no mitigations or workarounds for these flaws, the only way to remain secure is to install the patches, the company added.
- Here are the best firewalls (opens in new tab)
Via: BleepingComputer (opens in new tab)