Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability

Vendor: Citrix
Vendor URL: http://www.citrix.com/
Versions affected: Citrix Workspace App versions prior to 1904 and Receiver for Windows versions prior to LTSR 4.9 CU6 version 4.9.6001
Systems Affected: Microsoft Windows
Author: Ollie Whitehouse 
        Richard Warren 
        Martin Hill 
Advisory URL / CVE Identifier: CVE-2019-11634.
Risk: Critical

Summary

The Citrix Workspace / Receiver client suffers a logic vulnerability allowing remote access to a host’s storage via Edge, Internet Explorer, Firefox and Chrome on Microsoft Windows by a malicious Citrix server.

Location

Citrix Workspace / Receiver for Windows client.

Impact

Upon successful exploitation, remote access to the storage of the host is available to the malicious Citrix server. This access facilitates data exfiltration and/or remote code execution.

Details

The expected behaviour is that the Citrix client should prompt the user to allow access to their local storage when connecting if not previously approved. This is the behaviour seen when launching sessions via .ica files and similar. However when launching sessions via the browser and the WebHelper component no such prompt is presented.

When exploiting via Microsoft Edge and Microsoft Internet Explorer there is, zero interaction required in all cases.

When exploiting via Google Chrome and Mozilla Firefox, depending on configuration a single click may be required.

Note that browser-based exploitation is not the only avenue via which this vulnerability can be exploited. Anywhere URL handlers can be instantiated present an avenue for exploitation.

The exploitation steps are:

• A Citrix storefront is configured to run in unauthenticated / anonymous mode
• A malicious web app serves a valid receiver[:]// URL embedded in an iframe
• this causes a Citrix session to be established without prompts or with a single prompt
• the remote Citrix session launches a malicious console app which hides its window
• this malicious remote app is able to access to the resources of the host via CLIENTC$ allowing:
  • data exfiltration
  • remote code execution

Recommendation

Upgrade Citrix Workspace app to 1904 or newer, or Citrix Receiver for Windows to LTSR 4.9 CU6 version 4.9.6001 or newer.

Vendor Communication

April 9, 2019:   Vulnerability disclosed to Citrix
April 9, 2019:   Confirmation of receipt from Citrix
April 11, 2019:  Confirmation of re-production from Citrix
May 2, 2019:     Notification of patch release pending from Citrix
May 13, 2019:    Release of Advisory from Citrix

Thanks to

Blaine in the Citrix Security Response Team for his timely communication and rapid response.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.