Operating System:

[WIN][Virtual]

Published:

29 July 2021

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2021.2369.3 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2021.2369.3
             Citrix Virtual Apps and Desktops Security Update
                               29 July 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix Virtual Apps and Desktops
                   Citrix XenApp / XenDesktop
Publisher:         Citrix
Operating System:  Windows
                   Virtualisation
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-22928  

Original Bulletin: 
   https://support.citrix.com/article/CTX319750

Revision History:  July 29 2021: Vendor added further mitigation advice and hofixes
                   July 19 2021: Vendor updated hotfixes for 1912 LTSR
                   July 14 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix Virtual Apps and Desktops Security Update

Reference: CTX319750
Category : High
Created  : 12 July 2021
Modified : 28 July 2021

Applicable Products

  o Citrix Virtual Apps and Desktops

Description of Problem

A vulnerability has been identified in Citrix Virtual Apps and Desktops that
could, if exploited, allow a user of a Windows VDA that has either Citrix
Profile Management or Citrix Profile Management WMI Plugin installed to
escalate their privilege level on that Windows VDA to SYSTEM.


This vulnerability has the following identifier:

+--------------+--------------+-------------+---------------------------------+
|CVE ID        |Description   |Vulnerability|Pre-conditions                   |
|              |              |Type         |                                 |
+--------------+--------------+-------------+---------------------------------+
|              |Local         |CWE-284:     |Authenticated access to a VDA    |
|CVE-2021-22928|privilege     |Improper     |with Citrix Profile Management or|
|              |escalation on |Access       |Citrix Profile Management WMI    |
|              |a Windows VDA |Control      |Plugin installed                 |
+--------------+--------------+-------------+---------------------------------+

The vulnerability affects the following supported versions of Citrix Virtual
Apps and Desktops and XenApp / XenDesktop:

  o Citrix Virtual Apps and Desktops 2106 and earlier Current Release (CR)
    versions
  o Citrix Virtual Apps and Desktops 1912 LTSR CU3 and earlier versions of 1912
    LTSR
  o Citrix XenApp / XenDesktop 7.15 LTSR CU7 and earlier versions of 7.15 LTSR

Citrix Virtual Apps and Desktops 2106 is only affected when Citrix Profile
Management is installed on a Windows VDA as Citrix Profile Management WMI
Plugin is not affected in this version.

Please note that Citrix XenApp / XenDesktop 7.6 LTSR has now reached End of
Life and is no longer supported except through Citrix Extended Support Program.

Mitigating Factors

Customers are not affected by this issue if they have disabled Windows
Installer on Windows VDAs by configuring the Group Policy setting:

Computer Configuration\Administrative templates\Windows components\windows installer\Turn off Windows Installer

to Enabled - Always .

What Customers Should Do

Citrix has released hotfixes to address the vulnerability in the following
supported versions:

Citrix Virtual Apps and Desktops 2106

  o Citrix Profile Management x86 - https://support.citrix.com/article/
    CTX319995
  o Citrix Profile Management x64 - https://support.citrix.com/article/
    CTX319996

Citrix Virtual Apps and Desktops 1912 LTSR

  o Citrix Profile Management x64 (3003) - https://support.citrix.com/article/
    CTX322394
  o Citrix Profile Management WMI Plugin x64 - https://support.citrix.com/
    article/CTX319668
  o Citrix Profile Management x86 (3003) - https://support.citrix.com/article/
    CTX322395
  o Citrix Profile Management WMI Plugin x86 - https://support.citrix.com/
    article/CTX319671

Citrix XenApp / XenDesktop 7.15 LTSR

  o Citrix Profile Management x64 - https://support.citrix.com/article/
    CTX319817
  o Citrix Profile Management WMI Plugin x64 - https://support.citrix.com/
    article/CTX319669
  o Citrix Profile Management x86 - https://support.citrix.com/article/
    CTX319818
  o Citrix Profile Management WMI Plugin x86 - https://support.citrix.com/
    article/CTX319670

Customers who have installed both affected components should install all
applicable hotfixes. Customers who have only installed one of the affected
components should install the hotfix that applies to the component they have
installed.

Citrix recommends that customers install any applicable hotfixes on affected
Windows VDAs as soon as possible.

This issue will also be addressed in any future versions of Citrix Virtual Apps
and Desktops and Citrix XenApp / XenDesktop.


Acknowledgements

Citrix would like to thank Lasse Trolle Borup of Improsec A/S for working with
us to protect Citrix customers.


What Citrix is Doing

Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge Center
at https://support.citrix.com/ .


Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at https://www.citrix.com/support/open-a-support-case/ .


Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For details on our vulnerability
response process and guidance on how to report security-related issues to
Citrix, please see the following webpage: https://www.citrix.com/about/
trust-center/vulnerability-process.html .


Disclaimer

This document is provided on an "as is" basis and does not imply any kind of
guarantee or warranty, including the warranties of merchantability or fitness
for a particular use. Your use of the information on the document is at your
own risk. Citrix reserves the right to change or update this document at any
time.


Changelog

Date       Change

2021-07-13 Initial Publication

2021-07-13 Additional hotfixes added

2021-07-16 Updated Profile Management hotfixes for 1912 LTSR (3002)
2021-07-23 Added mitigation advice and clarification for 7.6 LTSR
2021-07-28 Updated Profile Management hotfixes for 1912 LTSR (3003)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYQIFCeNLKJtyKPYoAQi5EA/+MEaBdCfyIO4ySO7NaqO+dYuA0EHYlnjV
SR1Tbd+cJNiXMe7ZO9DOJPVSwM2Nrj+9kCKVhe0pNy6qQbFHLGPTWfYZxhLeizF1
XU1y+rq44E4UqJ6uwdmNtBPibME/YIyehjuQZun8oPhAu2fwIJ4UZu2nLWf9HXNt
6Xc2TGIO56ufGjN3Ez1jli7lD+k+X2RxylhKRzYqtxdbIJVrfJEjCDfnwVyzhlYG
WX2Z6E+UGgoahqMzEbRmM9w2AODcP7hBlI/94KCZ45FxvTJhg2Ho8uu2ZyML7psp
VM/VQ8+Cajne5h/cAWOgG1LSG8FlnAOPf75DJmr3ZyPsd0Z2fVFOib1ypnOjidMf
KM4msIlszyuRp6yhtaCC0+rh/RU7YQ+W7tuHSh7ODw1B0aFq4AkryT2V2hQ0GxVi
JKwZdF/SXqBxdNiB806IbqQBylQmN+guCaEt/ITkFr7UXY2r4nGSJmZqlLyhAWSg
QJDpF2CbdfXakpQy+YI2OiQ66O3e1xccs9ATcNIWilYmOOhIkH/xhw4QiBpZBv5n
j4sbxF5X4uqlwZNkI094N1AjxDI02eolAkK/kHg3PmgwRa1g91z42aq5gQ8lQb8l
u244JPh5R8W91BGKNXXTrOyISjQxmJ1RfYdw/3uZE0GcMHmy+Acy5P6YLbXFkC14
/vDtAOTtAOQ=
=ZfK+
-----END PGP SIGNATURE-----