{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-037.pdf"
    },
    "title": "UPDATE: Citrix Workspace Vulnerability",
    "serial_number": "2020-037",
    "publish_date": "22-07-2020 14:42:00",
    "description": "Citrix Workspace is vulnerable to a remote command execution attack. The flaw sees Workspace app's automatic update feature abused to gain access to a vulnerable Workspace app installation, with the attack vector being a named pipe. Citrix have assigned CVE-2020-8207 to the vulnerability and released updated versions for Workspace app.<br>Since July, there has been found a secondary attack vector, which would allow attackers to elevate privileges and remotely execute arbitrary commands under the SYSTEM account.",
    "url_title": "2020-037",
    "content_markdown": "---\ntitle: 'Citrix Workspace Vulnerability'\nversion: '1.1'\nnumber: '2020-037'\ndate: 'September 23, 2020'\n---\n\n_History:_\n\n* _22/07/2020 --- v1.0 -- Initial publication_\n* _23/09/2020 --- v1.1 -- Updated with information about new attack vector_\n\n# Summary\n\nCitrix Workspace is vulnerable to a remote command execution attack [1]. The flaw sees Workspace app's automatic update feature abused to gain access to a vulnerable Workspace app installation, with the attack vector being a named pipe [3]. Citrix have assigned CVE-2020-8207 to the vulnerability and released updated versions for Workspace app [2].\n\nSince July, there has been found a secondary attack vector, which would allow attackers to elevate privileges and remotely execute arbitrary commands under the SYSTEM account [6, 7].\n\n# Technical Details\n\nBy sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process under the SYSTEM account.  Whilst a low privilege account is required to perform the attack, environments that do not implement SMB signing are particularly vulnerable since an attack can be achieved without knowing valid credentials through NTLM credential relaying [1, 3].\n\nA new attack vector has been discovered [7]. The core of the issue lies with a remote command line injection vulnerability that allows attackers to bypass Citrix signed MSI installers using a malicious MSI transform [6, 7].\n\n# Products Affected\n\nThe issue affects **Citrix Workspace App**.\n\n# Recommendations\n\nThe issue has been addressed in the following versions of Citrix Workspace app for Windows [1, 7]:\n\n- Citrix Workspace App 2008 or later;\n- Citrix Workspace App 1912 LTSR CU1 Hotfix 1 (19.12.1001) and later.\n\nUpdates are available [4, 5]. CERT-EU recommends to update the vulnerable application as soon as possible.\n\n# References\n\n[1] <https://www.pentestpartners.com/security-blog/raining-system-shells-with-citrix-workspace-app/>\n\n[2] <https://support.citrix.com/article/CTX277662>\n\n[3] <https://www.theregister.com/2020/07/21/citrix_workspace_app_vuln/>\n\n[4] <https://www.citrix.com/downloads/workspace-app/windows/>\n\n[5] <https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/>\n\n[6] <https://threatpost.com/citrix-workspace-new-attack/159459/>\n\n[7] <https://www.pentestpartners.com/security-blog/the-return-of-raining-system-shells-with-citrix-workspace-app/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>22/07/2020 --- v1.0 -- Initial publication</em></li><li><em>23/09/2020 --- v1.1 -- Updated with information about new attack vector</em></li></ul><h2 id=\"summary\">Summary</h2><p>Citrix Workspace is vulnerable to a remote command execution attack [1]. The flaw sees Workspace app's automatic update feature abused to gain access to a vulnerable Workspace app installation, with the attack vector being a named pipe [3]. Citrix have assigned CVE-2020-8207 to the vulnerability and released updated versions for Workspace app [2].</p><p>Since July, there has been found a secondary attack vector, which would allow attackers to elevate privileges and remotely execute arbitrary commands under the SYSTEM account [6, 7].</p><h2 id=\"technical-details\">Technical Details</h2><p>By sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process under the SYSTEM account. Whilst a low privilege account is required to perform the attack, environments that do not implement SMB signing are particularly vulnerable since an attack can be achieved without knowing valid credentials through NTLM credential relaying [1, 3].</p><p>A new attack vector has been discovered [7]. The core of the issue lies with a remote command line injection vulnerability that allows attackers to bypass Citrix signed MSI installers using a malicious MSI transform [6, 7].</p><h2 id=\"products-affected\">Products Affected</h2><p>The issue affects <strong>Citrix Workspace App</strong>.</p><h2 id=\"recommendations\">Recommendations</h2><p>The issue has been addressed in the following versions of Citrix Workspace app for Windows [1, 7]:</p><ul><li>Citrix Workspace App 2008 or later;</li><li>Citrix Workspace App 1912 LTSR CU1 Hotfix 1 (19.12.1001) and later.</li></ul><p>Updates are available [4, 5]. CERT-EU recommends to update the vulnerable application as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.pentestpartners.com/security-blog/raining-system-shells-with-citrix-workspace-app/\">https://www.pentestpartners.com/security-blog/raining-system-shells-with-citrix-workspace-app/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/article/CTX277662\">https://support.citrix.com/article/CTX277662</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.theregister.com/2020/07/21/citrix_workspace_app_vuln/\">https://www.theregister.com/2020/07/21/citrix_workspace_app_vuln/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.citrix.com/downloads/workspace-app/windows/\">https://www.citrix.com/downloads/workspace-app/windows/</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/\">https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://threatpost.com/citrix-workspace-new-attack/159459/\">https://threatpost.com/citrix-workspace-new-attack/159459/</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.pentestpartners.com/security-blog/the-return-of-raining-system-shells-with-citrix-workspace-app/\">https://www.pentestpartners.com/security-blog/the-return-of-raining-system-shells-with-citrix-workspace-app/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}