Citrix Released Security Updates For Multiple Products, Including Sharefile Storage Zones And Citrix Virtual Apps And Desktops
Reference:
Advisory #2023-71
Version:
2.0
Affected software:
All currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24
Virtual Delivery Agents for Windows or Linux used by Citrix Virtual Apps and Desktops and Citrix DaaS
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2023-24489 / CVSS 3.1 score: 9.1
CVE-2023-24490 / CVSS 3.1 score: 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Date:
22/06/2023
Sources
Risks
One of the vulnerabilities patched by Citrix, CVE-2023-24489, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. The exploitation of the vulnerability would have a high impact on the Confidentiality, Integrity, and Availability of the affected systems.
Another vulnerability patched, CVE-2023-24490, would allow a user having only limited access to launch VDA applications, to elevate privileges and to launch an unauthorized desktop.
Update: A Proof of Concept for exploiting CVE-2023-24489 has been released on Github (https://github.com/adhikara13/CVE-2023-24489-ShareFile) and allows for mass exploitation. This increases the risk of exploitation significantly.
Description
CVE-2023-24489 is an improper resource control vulnerability discovered in the customer-managed ShareFile storage zones controller. The vulnerability has a CVSS score of 9.1 and was classified as “critical”.
Affected products:
This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.
CVE-2023-24490 is an improper access control vulnerability that impacts Citrix Virtual Apps and Desktops and Virtual Delivery Agent in Windows and Linux.
Affected products:
This vulnerability affects the following supported versions of
- Windows Virtual Delivery Agent:
-
Citrix Virtual Apps and Desktops versions before 2305
-
Long Term Service Release (LTSR):
-
Citrix Virtual Apps and Desktops 2203 LTSR before CU3
-
Citrix Virtual Apps and Desktops 1912 LTSR before CU7
-
-
- Linux Virtual Delivery Agent:
- Linux Virtual Delivery Agent version before 2305
- Long Term Service Release (LTSR):
- Linux Virtual Delivery Agent 2203 LTSR before CU3
- Linux Virtual Delivery Agent 1912 LTSR before CU7 hotfix 1(19.12.7001)
Recommended Actions
To address these vulnerabilities, Citrix advises users to upgrade using:
- the new patch that has been included in the ShareFile storage zones controller version 5.11.24 as well as all versions that have followed it. (https://www.citrix.com/downloads/sharefile/product-software/sharefile-st...).
- Customers using ShareFile-managed storage zones in the cloud do not need to take any action.
- the Windows and Linux Virtual Delivery Agents that contain the fixes (https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/ )
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident