Cybersecurity researchers have reported exploitation attempts targeting two recently patched vulnerabilities in Citrix Session Recording. These vulnerabilities, identified as CVE-2024-8068 and CVE-2024-8069, were disclosed by cybersecurity firm WatchTowr, which released technical details and a proof-of-concept (PoC) exploit on November 12, 2024.

Vulnerability Details

The vulnerabilities affect the Session Recording component of the Citrix Virtual Apps and Desktops solution. WatchTowr initially described the flaws as enabling unauthenticated remote code execution, raising concerns about their severity. While the vulnerabilities were initially thought to be unpatched, Citrix clarified that fixes were released in an advisory on the same day as WatchTowr’s disclosure.

CVE-2024-8068 is a privilege escalation issue, while CVE-2024-8069 is a limited remote code execution vulnerability. Both require authentication to exploit and have been rated as medium severity by Citrix. The vulnerabilities are limited to the Citrix Session Recording server, an optional component of Citrix Virtual Apps and Desktops typically deployed on a standalone Windows Server within a corporate network.

Exploitation Context

Citrix emphasized that successful exploitation requires attackers to be on a trusted machine within the same domain as the Session Recording server. The exploit leverages Microsoft MSMQ technology to send malicious objects, but Citrix recommends enabling HTTPS integration with Active Directory as the authentication method for MSMQ communications to mitigate risks.

Moreover, if exploited, the vulnerabilities would allow malicious code to run in the Network Service context, which has less privilege compared to the System context, reducing the overall impact.

Exploitation Attempts Reported

Despite Citrix’s assertions, security researchers and organizations have observed exploitation attempts. The Shadowserver Foundation detected scanning activity shortly after the PoC exploit was made public, while security researcher Kevin Beaumont demonstrated that some exposed systems could be exploited over the internet without authentication. A Shodan search identified hundreds of Session Recording servers exposed online, contrary to Citrix’s recommendations.

The SANS Technology Institute’s honeypots also recorded exploitation attempts involving Curl commands originating from an IP address in South Africa. While some of this activity may stem from security researchers scanning for vulnerabilities, there is concern about potential attacks by malicious actors.

As of now, there have been no confirmed reports of successful exploitation in the wild, but organizations are urged to act proactively.

Recommendations for Mitigation

Citrix has advised all users to update their systems promptly to mitigate the risks associated with these vulnerabilities. Customers should ensure that Session Recording servers are deployed on trusted machines within corporate networks and are not exposed to the internet.

Additionally, Citrix recommends:

• Using HTTPS with Active Directory authentication for MSMQ communications.
• Installing the latest patches as outlined in Citrix’s advisory.

Looking Ahead

While Citrix has not directly addressed reports of ongoing exploitation attempts, the company has assured customers that it will release further information to address security concerns.

Given the history of Citrix vulnerabilities being among the most commonly exploited flaws in recent years, organizations are strongly encouraged to take immediate action to secure their environments against potential threats.

For detailed guidance and updates, refer to Citrix’s official advisory.