www.belgium.be Logo of the federal government

Citrix Released Security Updates For Multiple Products, Including Sharefile Storage Zones And Citrix Virtual Apps And Desktops

Reference: 
Advisory #2023-71
Version: 
2.0
Affected software: 
All currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24
Virtual Delivery Agents for Windows or Linux used by Citrix Virtual Apps and Desktops and Citrix DaaS
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 
CVE-2023-24489 / CVSS 3.1 score: 9.1
CVE-2023-24490 / CVSS 3.1 score: 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Sources

Risks

One of the vulnerabilities patched by Citrix, CVE-2023-24489, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. The exploitation of the vulnerability would have a high impact on the Confidentiality, Integrity, and Availability of the affected systems.
 
Another vulnerability patched, CVE-2023-24490, would allow a user having only limited access to launch VDA applications, to elevate privileges and to launch an unauthorized desktop.
 
Update: A Proof of Concept for exploiting CVE-2023-24489 has been released on Github (https://github.com/adhikara13/CVE-2023-24489-ShareFile)  and allows for mass exploitation. This increases the risk of exploitation significantly. 

Description

CVE-2023-24489 is an improper resource control vulnerability discovered in the customer-managed ShareFile storage zones controller. The vulnerability has a CVSS score of 9.1 and was classified as “critical”.
 
Affected products:
This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.
 
CVE-2023-24490 is an improper access control vulnerability that impacts Citrix Virtual Apps and Desktops and Virtual Delivery Agent in Windows and Linux.
 
Affected products:
This vulnerability affects the following supported versions of 
  1. Windows Virtual Delivery Agent:
    • Citrix Virtual Apps and Desktops versions before 2305
    • Long Term Service Release (LTSR):
      • Citrix Virtual Apps and Desktops 2203 LTSR before CU3
      • Citrix Virtual Apps and Desktops 1912 LTSR before CU7
  2. Linux Virtual Delivery Agent:
    • Linux Virtual Delivery Agent version before 2305
    • Long Term Service Release (LTSR):
      • Linux Virtual Delivery Agent 2203 LTSR before CU3
      • Linux Virtual Delivery Agent 1912 LTSR before CU7 hotfix 1(19.12.7001)
 

Recommended Actions

To address these vulnerabilities, Citrix advises users to upgrade using:
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

References