Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1689.3 Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows 27 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Workspace app and Receiver for Windows Publisher: Citrix Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11634 Original Bulletin: https://support.citrix.com/article/CTX251986 Revision History: May 27 2019: Added "Mitigating Factors" section May 20 2019: Clarified affected version statement May 14 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows Reference: CTX251986 Category : Critical Created : 13 May 2019 Modified : 24 May 2019 Applicable Products o Receiver for Windows o Citrix Workspace App Description of Problem A vulnerability has been identified in Citrix Workspace app and Receiver for Windows that could result in local drive access preferences not being enforced allowing an attacker read/write access to the clients local drives which could enable code execution on the client device. This vulnerability has been assigned the following CVE number: o CVE-2019-11634: Remote Code Execution Vulnerability in Citrix Workspace app for Windows prior to version 1904 and Receiver for Windows to LTSR 4.9 CU6 version earlier than 4.9.6001. This vulnerability affects all versions of Citrix Workspace app for Windows andReceiver for Windows the fix is contained inCitrix Workspace app version 1904 or later and Receiver for Windows to LTSR 4.9 CU6 version 4.9.6001. This vulnerability does not affect Citrix Workspace app and Receiver on any other platforms. Mitigating Factors Citrix strongly recommends that customers upgrade to the latest Citrix Workspace app for Windows and Receiver for Windows to address this vulnerability. In cases where the upgrade is not immediately possible applying a Client Selective Trust policy via GPO can be used to limit the exploitability of this vulnerability until the upgrade can be completed. The following settings must be set for both x86 and x64 hives and the client system must be rebooted to take effect. Set all FileSecurityPermission to 0, which means No Access (See CTX133565 for further details) And Set InstantiatedSecurityPolicyEditable\default to false (See CTX128792 for further details) Note: Restarting Citrix Workspace app and Receiver is not sufficient to apply the changes, the operating system must be rebooted. What Customers Should Do A new version of Citrix Workspace app and Receiver for Windows has been released. Citrix strongly recommends that customers upgrade Citrix Workspace app to version 1904 or later and Receiver for Windows to LTSR 4.9 CU6 version 4.9.6001. The new Citrix Workspace app version is available from the following Citrix website location: https://www.citrix.com/downloads/workspace-app/ The new LTSR version is available from the following Citrix website location: https://www.citrix.com/downloads/citrix-receiver/windows-ltsr/ receiver-for-windows-ltsr-latest.html Single Sign-on (SSO) could stop working, after applying the security update, for browsers other than Internet Explorer unless explicitly configured. Use the following documentation to ensure proper configuration post fix installation: https://support.citrix.com/article/CTX133982 Acknowledgements Citrix thanks Ollie Whitehouse, Richard Warren and Martin Hill of NCC Group for working with us to protect Citrix customers. Changelog +--------------------+--------------------------------------------------------+ |Date |Change | +--------------------+--------------------------------------------------------+ |13th May 2019 |Initial publishing | +--------------------+--------------------------------------------------------+ |17th May 2019 |Clarified affected version statement | +--------------------+--------------------------------------------------------+ |24th May 2019 |Added "Mitigating Factors" section | +--------------------+--------------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXOtOpmaOgq3Tt24GAQi5cxAAxMYRrG+YXtwCmS5JHto0xJyqcGNWX99J HIfRAYSS8boxK60cBANRukGV8/vUZa+WC4D4W+QhosTGLze3fYB5Raoh1Efknvjx rowsOrhNKJBjF/kdJJ0z2JwyXntfOXBp4fJG2c4wfsbYK6JqwWUQJQ0IEliUhf81 /1U9MpN2doXBiEHMeXu6yeSyBbJVKayr/Z4wZf2seZBWCjL82jeJvepz5CIAPTVl RVS0CSxLZEBTtWa5yVrj8D62Rd+tIbpzf/+umK7S7l1E9MZNDQthCVFbccPcxhaI e5tXEsUIaIQNM9C726w8TE+hdSIV6k/Q/nGFsqf0DL4KcfxRxWQpq24qqFXJ3/tO bIZFerplwhAnXATlx8FhsAAT/CV7X3yLH36JrJY/7E+WUvRZgHFv6087py03X46K uJsAjgHP2sbO2QdYN0/bS7tWYipndAGFBFvaQP8OWnOU6POIIevooDpSXfe0jzFH Sn+wYR1QubCtTG95ktX8XwBxh2uG0lCgykvMFg8EyMVaYdkh/wHq7BH58PaydZh8 IXSD4+yUDhUiAEzGftTv0Lzrdt0SotrWvlg4eFFB2qH3wg/1px2Rg8mQPwHGSzgR vQ/yS9fktH8kyD9vlsgJIB1tIXz9FG+0r2idQyOHtRWnq0OuSjoeeFdF/LWj6Htt LFqPRMZOtyY= =KMQY -----END PGP SIGNATURE-----