Head Topics

HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code

United Kingdom News News

HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code
United Kingdom Latest News,United Kingdom Headlines
  • 📰 TheRegister
  • ⏱ Reading Time:
  • 69 sec. here
  • 3 min. at publisher
  • 📊 Quality Score:
  • News: 31%
  • Publisher: 61%

'Once again, we've lost a little more faith in the internet,' researcher says

Researchers are publicizing a proof of concept exploit for what they're calling an unauthenticated remote code execution vulnerability in Citrix's Virtual Apps and Desktops.

Sina Kheirkhah, vulnerability researcher at watchTowr, however, states:"This one is a privesc bug yielding system privileges for any VDI user, which is actually a lot worse than it might initially sound since that's system privileges on the server that hosts all the applications and access is 'by design' – allowing an attacker to impersonate any user, including administrators, and monitor behavior, connectivity.

Sessions are sent to the Session Recording Server, as watchTowr referred to it, and then stored in a database. According to Citrix's documentation, the files are sent as message bytes via the Microsoft Message Queuing service. "Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure."port 1801. Kheirkhah noted his surprise that Citrix enabled MSMQ over HTTP, which seems unnecessary given that none of the product's functionality uses it and it is typically disabled by default.

We're told Citrix plans to publish a blog later today outlining exactly why it disagrees with the researchers over at watchTowr. A spokesperson for the latter, conversely, toldin response to the vendor's advisory that Citrix is downplaying the severity of the issue.

We have summarized this news so that you can read it quickly. If you are interested in the news, you can read the full text here. Read more:

TheRegister /  🏆 67. in UK

United Kingdom Latest News, United Kingdom Headlines

Similar News:You can also read news stories similar to this one that we have collected from other news sources.

Investment apps: are they up to scratch?Investment apps: are they up to scratch?Beware the time-consuming lure of gut-reaction trading from your handset
Read more »

Biz Daemon is too cool to respond to fans of his big screen workBiz Daemon is too cool to respond to fans of his big screen workIf only all Android apps were so effortlessly stylish
Read more »

Serial rapist used dating apps to find and attack womenSerial rapist used dating apps to find and attack womenAnthony Pilling has been jailed
Read more »

Transgender paedophile who identified as female after targeting young girls on social media apps is...Transgender paedophile who identified as female after targeting young girls on social media apps is...Thomas Quinn, 25, from Chester was arrested after he avoided strict rules about his name by using multiple female names to communicate to teenagers and ask them for sex.
Read more »

Millions of Android and iOS users at risk from hardcoded creds in popular appsMillions of Android and iOS users at risk from hardcoded creds in popular appsAzure Blob Storage, AWS, and Twilio keys all up for grabs
Read more »

Millions of Android and iOS users at risk from hardcoded creds in popular appsMillions of Android and iOS users at risk from hardcoded creds in popular appsAzure Blob Storage, AWS, and Twilio keys all up for grabs
Read more »



Render Time: 2025-02-13 01:37:24