-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1689.2
        Remote Code Execution Vulnerability in Citrix Workspace app
                         and Receiver for Windows
                                20 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix Workspace app and Receiver for Windows
Publisher:         Citrix
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11634  

Original Bulletin: 
   https://support.citrix.com/article/CTX251986

Revision History:  May 20 2019: Clarified affected version statement
                   May 14 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows

Reference: CTX251986

Category : Critical

Created  : 13 May 2019

Modified : 17 May 2019

Applicable Products

  o Receiver for Windows
  o Citrix Workspace App

Description of Problem

A vulnerability has been identified in Citrix Workspace app and Receiver for
Windows that could result in local drive access preferences not being enforced
allowing an attacker read/write access to the clients local drives which could
enable code execution on the client device.

This vulnerability has been assigned the following CVE number:

o CVE-2019-11634: Remote Code Execution Vulnerability in Citrix Workspace app
for Windows prior to version 1904 and Receiver for Windows to LTSR 4.9 CU6
version earlier than 4.9.6001.

This vulnerability affects all versions of Citrix Workspace app for Windows
andReceiver for Windows the fix is contained inCitrix Workspace app version
1904 or later and Receiver for Windows to LTSR 4.9 CU6 version 4.9.6001.

This vulnerability does not affect Citrix Workspace app and Receiver on any
other platforms.

What Customers Should Do

A new version of Citrix Workspace app and Receiver for Windows has been
released. Citrix strongly recommends that customers upgrade Citrix Workspace
app to version 1904 or later and Receiver for Windows to LTSR 4.9 CU6 version
4.9.6001.

The new Citrix Workspace app version is available from the following Citrix
website location:

https://www.citrix.com/downloads/workspace-app/

The new LTSR version is available from the following Citrix website location:

https://www.citrix.com/downloads/citrix-receiver/windows-ltsr/
receiver-for-windows-ltsr-latest.html

Single Sign-on (SSO) could stop working, after applying the security update,
for browsers other than Internet Explorer unless explicitly configured. Use the
following documentation to ensure proper configuration post fix installation:

https://support.citrix.com/article/CTX133982

Acknowledgements

Citrix thanks Ollie Whitehouse, Richard Warren and Martin Hill of NCC Group for
working with us to protect Citrix customers.

Changelog

+--------------------+--------------------------------------------------------+
|Date                |Change                                                  |
+--------------------+--------------------------------------------------------+
|13th May 2019       |Initial publishing                                      |
+--------------------+--------------------------------------------------------+
|17th May 2019       |Clarified affected version statement                    |
+--------------------+--------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXOI/MWaOgq3Tt24GAQiMyhAA1ROcGG1wSULIO2H9oBNE7t4aPAsHBfDu
whLgYSr5drjIENI94tatuJ+ATqedsdB8g3Yzb2DMHLpTOX0X9pdHkFdsi1B87u1D
XJfQYQY/Gxuh4AMKKC/A/llGxKdi7AvjqCAPMM+P6x+BoEzQbezqcQHNO4VDk0La
q1jp9MEe+eqgj9ZfPDh7MYNMjHj9VJZt99XabzCjQCJSycniSnvfZALFX7LOCGGP
EMRA3f0o459t5f3kBVDwPy85Gcdy34kDGidM/BERl4ytUXVm844PNQV/zlCEGLDc
CYWYJzXwiiQBB2DKbS3z8UZMbMo5REGT9mQOJqn/Yi2AdDQISXewSm11TwJ3MRPe
R0cwQqqvIrzkXD9JROfS6MNp3dBMBWt9FRAVbpLgaIh7vIDA5pogVuLBHgeFMVWr
3OE6X1Kwfe10TqJ/lxBt49DdUsjMXez6Lq/uemzZdw7u4JqA/tGzxBwozMO1tfgY
Hw9Qz0xR1s9YQRdEsNLsBCFswz4VNhXslenbjndscT3FFSZajbJOqjKN57CGdm6S
2uHDmspFvQEQqXxlF+nQNkiqCQECnwg9YDgX/ZQK+42SP6tV9gZKRd+yOxPdOgqG
nCCwiphUA/Dt6gP4zPwmZFEYECg4kj+ajoegGwseAXjk+pbg09lsCQ0JSKxgbad1
G1jtm8S1KpQ=
=7DmL
-----END PGP SIGNATURE-----