Citrix Recording Manager Zero-Day Bug Allows Unauthenticated RCE

  /     /     /  
Publicated : 23/11/2024   Category : security


Citrix Recording Manager Zero-Day Bug Allows Unauthenticated RCE


The security vulnerability is due to an exposed Microsoft Message Queuing (MSMQ) instance and the use of the insecure BinaryFormatter.



[Ed. note, Nov. 12 at 12:30 p.m. ET: Citrix has now issued patches for the issue and assigned CVE-2024-8068/CVE-2024-8069 for tracking.]
An unpatched zero-day
vulnerability in Citrix’s Session Recording Manager
allows unauthenticated remote code execution (RCE, paving the way for data theft, lateral movement, and desktop takeover.
According to watchTowr research out today, the issue (which does not yet have a CVE or
CVSS score
) resides in Citrixs Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.
Citrix advertises the feature as being really useful for monitoring (somewhat obviously), but also for compliance and troubleshooting. It can even be set up so that certain actions (like identifying sensitive data) will trigger recording, which helps meet regulatory needs and flag suspicious activities, the watchTowr researchers noted in the
report
.
The feature logs session recordings via Microsoft Message Queuing (MSMQ), which enables efficient data transfer from individual computers to centralized storage. However, the Citrix implementation uses BinaryFormatter for serialization and deserialization of the information for easier and more accurate transfer and storage. The utility is unfortunately well-known
to be insecure
.
BinaryFormatter is a .NET class created by Microsoft, which is in the process of deprecating it: BinaryFormatter is insecure and cant be made secure. Applications should stop using [it] as soon as possible, even if they believe the data theyre processing to be trustworthy, the computing giant
said
in August.
On top of the BinaryFormatter issue, Recording Session Manager also involves an exposed MSMQ service that can be reached from any host via HTTP. This, combined with what watchTowr says are misconfigured permissions, paves the way for unauthenticated RCE.
Dark Reading has reached out for comment and planned patching or mitigation information from both watchTowr and Citrix. There is no evidence of in-the-wild exploitation yet, but given
Citrixs attractiveness as a cybercrime target
, that could soon change.
Dont miss the upcoming free
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 am ET.
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.
Register now!

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Citrix Recording Manager Zero-Day Bug Allows Unauthenticated RCE