The security vulnerability, monitored as CVE-2020-8207 and graded as high severity, affects the automatic update service used by Windows’ Citrix Workspace device, and it can be exploited for arbitrary command execution by a local attacker to escalate privileges or by a remote attacker. A researcher at Pen Test Partners has found the vulnerability. The firm has published a blog post describing how a local attacker can exploit the vulnerability to elevate privileges to Machine and remotely for arbitrary execution of commands. Pen Research Partners has shared technical information and a video demonstrating how the vulnerability could be abused by a malicious actor.
“The Citrix Workspace Updater System can be fooled into running an arbitrary process under the SYSTEM account by sending a crafted message over a named pipe and spoofing the client process ID,” Pen Test Partners explained in its blog post. “While the attack requires a low-privilege account, environments that do not enforce SMB signing are particularly vulnerable since an attack can be performed without knowing valid credentials via NTLM credential relay.” According to Citrix, the bug affects the Windows 1912 LTSR and 2002 Citrix Workspace software, and it has been patched with the introduction of versions 1912 LTSR CU1 and 2006.1. The vendor pointed out that only the Workspace app’s Windows version is affected and the bug occurs only when the application is installed using a local or domain admin account. Remote attacks are only possible with allowed SMB and running the affected update service. Citrix told customers earlier this month that it patched 11 vulnerabilities in its networking products ADC, Gateway, and SD-WAN, but downplayed their effect. Nonetheless, a few days after disclosure of the vulnerabilities, researchers noticed someone had already started searching the site for vulnerable systems. Citrix denied last week that its systems had been infringed following claims that details on the users of the company had been sold on the dark web for sale. The company explained that the data came from a third party, saying it was not very sensitive.