-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1689.3
        Remote Code Execution Vulnerability in Citrix Workspace app
                         and Receiver for Windows
                                27 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix Workspace app and Receiver for Windows
Publisher:         Citrix
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11634  

Original Bulletin: 
   https://support.citrix.com/article/CTX251986

Revision History:  May 27 2019: Added "Mitigating Factors" section
                   May 20 2019: Clarified affected version statement
                   May 14 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows

Reference: CTX251986

Category : Critical

Created  : 13 May 2019

Modified : 24 May 2019

Applicable Products

  o Receiver for Windows
  o Citrix Workspace App

Description of Problem

A vulnerability has been identified in Citrix Workspace app and Receiver for
Windows that could result in local drive access preferences not being enforced
allowing an attacker read/write access to the clients local drives which could
enable code execution on the client device.

This vulnerability has been assigned the following CVE number:

o CVE-2019-11634: Remote Code Execution Vulnerability in Citrix Workspace app
for Windows prior to version 1904 and Receiver for Windows to LTSR 4.9 CU6
version earlier than 4.9.6001.

This vulnerability affects all versions of Citrix Workspace app for Windows
andReceiver for Windows the fix is contained inCitrix Workspace app version
1904 or later and Receiver for Windows to LTSR 4.9 CU6 version 4.9.6001.

This vulnerability does not affect Citrix Workspace app and Receiver on any
other platforms.

Mitigating Factors

Citrix strongly recommends that customers upgrade to the latest Citrix
Workspace app for Windows and Receiver for Windows to address this
vulnerability. In cases where the upgrade is not immediately possible applying
a Client Selective Trust policy via GPO can be used to limit the exploitability
of this vulnerability until the upgrade can be completed. The following
settings must be set for both x86 and x64 hives and the client system must be
rebooted to take effect.

Set all FileSecurityPermission to 0, which means No Access (See CTX133565 for
further details)

And

Set InstantiatedSecurityPolicyEditable\default to false (See CTX128792 for
further details)

Note: Restarting Citrix Workspace app and Receiver is not sufficient to apply
the changes, the operating system must be rebooted.

What Customers Should Do

A new version of Citrix Workspace app and Receiver for Windows has been
released. Citrix strongly recommends that customers upgrade Citrix Workspace
app to version 1904 or later and Receiver for Windows to LTSR 4.9 CU6 version
4.9.6001.

The new Citrix Workspace app version is available from the following Citrix
website location:

https://www.citrix.com/downloads/workspace-app/

The new LTSR version is available from the following Citrix website location:

https://www.citrix.com/downloads/citrix-receiver/windows-ltsr/
receiver-for-windows-ltsr-latest.html

Single Sign-on (SSO) could stop working, after applying the security update,
for browsers other than Internet Explorer unless explicitly configured. Use the
following documentation to ensure proper configuration post fix installation:

https://support.citrix.com/article/CTX133982

Acknowledgements

Citrix thanks Ollie Whitehouse, Richard Warren and Martin Hill of NCC Group for
working with us to protect Citrix customers.

Changelog

+--------------------+--------------------------------------------------------+
|Date                |Change                                                  |
+--------------------+--------------------------------------------------------+
|13th May 2019       |Initial publishing                                      |
+--------------------+--------------------------------------------------------+
|17th May 2019       |Clarified affected version statement                    |
+--------------------+--------------------------------------------------------+
|24th May 2019       |Added "Mitigating Factors" section                      |
+--------------------+--------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXOtOpmaOgq3Tt24GAQi5cxAAxMYRrG+YXtwCmS5JHto0xJyqcGNWX99J
HIfRAYSS8boxK60cBANRukGV8/vUZa+WC4D4W+QhosTGLze3fYB5Raoh1Efknvjx
rowsOrhNKJBjF/kdJJ0z2JwyXntfOXBp4fJG2c4wfsbYK6JqwWUQJQ0IEliUhf81
/1U9MpN2doXBiEHMeXu6yeSyBbJVKayr/Z4wZf2seZBWCjL82jeJvepz5CIAPTVl
RVS0CSxLZEBTtWa5yVrj8D62Rd+tIbpzf/+umK7S7l1E9MZNDQthCVFbccPcxhaI
e5tXEsUIaIQNM9C726w8TE+hdSIV6k/Q/nGFsqf0DL4KcfxRxWQpq24qqFXJ3/tO
bIZFerplwhAnXATlx8FhsAAT/CV7X3yLH36JrJY/7E+WUvRZgHFv6087py03X46K
uJsAjgHP2sbO2QdYN0/bS7tWYipndAGFBFvaQP8OWnOU6POIIevooDpSXfe0jzFH
Sn+wYR1QubCtTG95ktX8XwBxh2uG0lCgykvMFg8EyMVaYdkh/wHq7BH58PaydZh8
IXSD4+yUDhUiAEzGftTv0Lzrdt0SotrWvlg4eFFB2qH3wg/1px2Rg8mQPwHGSzgR
vQ/yS9fktH8kyD9vlsgJIB1tIXz9FG+0r2idQyOHtRWnq0OuSjoeeFdF/LWj6Htt
LFqPRMZOtyY=
=KMQY
-----END PGP SIGNATURE-----