In November 2024, two critical vulnerabilities—CVE-2024-8068 and CVE-2024-8069—were identified in Citrix’s Session Recording Manager, a component of Citrix Virtual Apps and Desktops. These vulnerabilities could potentially allow attackers to execute arbitrary code or escalate privileges on affected systems.
Understanding the Vulnerabilities
Citrix’s Session Recording Manager is designed to capture and manage recordings of user sessions, including keyboard and mouse inputs, websites visited, and video streams of desktop activity. The identified vulnerabilities stem from improper deserialization processes within this component.
-
CVE-2024-8068: This vulnerability allows an authenticated user within the same Windows Active Directory domain as the session recording server to escalate privileges to the NetworkService account.
-
CVE-2024-8069: This issue permits a limited form of remote code execution for attackers with administrative-level access on vulnerable systems.
Discrepancies in Exploitation Potential
There has been some debate regarding the exploitation potential of these vulnerabilities. Citrix maintains that exploitation requires prior authentication and specific conditions, limiting the risk to authenticated users within the same domain. However, researchers from watchTowr, who discovered these flaws, argue that the vulnerabilities could be exploited by unauthenticated attackers, suggesting a broader risk.
Affected Versions
The vulnerabilities impact the following versions of Citrix Session Recording:
-
Citrix Virtual Apps and Desktops before version 2407 hotfix 24.5.200.8 (Current Release)
-
Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6
-
Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11
-
Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16
Mitigation and Recommendations
Citrix has released patches to address these vulnerabilities and strongly advises affected customers to update their systems promptly. Administrators should review Citrix’s official advisory for detailed guidance on applying the necessary updates.
Given the potential risks, organizations are urged to:
-
Apply the recommended patches without delay.
-
Review and adjust access controls to ensure that only authorized users have access to the Session Recording Manager.
-
Monitor systems for any unusual activity that could indicate exploitation attempts.
By taking these proactive measures, organizations can mitigate the risks associated with CVE-2024-8068 and CVE-2024-8069, ensuring the security and integrity of their systems.