Description of Problem
A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.
This vulnerability has the following identifier:
CVE ID | Description | Vulnerability Type | Pre-conditions |
CVE-2021-22928 | Local privilege escalation on a Windows VDA | CWE-284: Improper Access Control | Authenticated access to a VDA with Citrix Profile Management or Citrix Profile Management WMI Plugin installed |
The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops and XenApp / XenDesktop:
- Citrix Virtual Apps and Desktops 2106 and earlier Current Release (CR) versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU3 and earlier versions of 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR CU7 and earlier versions of 7.15 LTSR
Citrix Virtual Apps and Desktops 2106 is only affected when Citrix Profile Management is installed on a Windows VDA as Citrix Profile Management WMI Plugin is not affected in this version.
Please note that Citrix XenApp / XenDesktop 7.6 LTSR has now reached End of Life and is no longer supported except through Citrix Extended Support Program.
Mitigating Factors
Customers are not affected by this issue if they have disabled Windows Installer on Windows VDAs by configuring the Group Policy setting:
Computer Configuration\Administrative templates\Windows components\windows installer\Turn off Windows Installer
to Enabled - Always.
What Customers Should Do
Citrix has released hotfixes to address the vulnerability in the following supported versions:
Citrix Virtual Apps and Desktops 2106
- Citrix Profile Management x86 - https://support.citrix.com/article/CTX319995
- Citrix Profile Management x64 - https://support.citrix.com/article/CTX319996
Citrix Virtual Apps and Desktops 1912 LTSR
- Citrix Profile Management x64 (3003) - https://support.citrix.com/article/CTX322394
- Citrix Profile Management WMI Plugin x64 - https://support.citrix.com/article/CTX319668
- Citrix Profile Management x86 (3003) - https://support.citrix.com/article/CTX322395
- Citrix Profile Management WMI Plugin x86 - https://support.citrix.com/article/CTX319671
Citrix XenApp / XenDesktop 7.15 LTSR
- Citrix Profile Management x64 - https://support.citrix.com/article/CTX319817
- Citrix Profile Management WMI Plugin x64 - https://support.citrix.com/article/CTX319669
- Citrix Profile Management x86 - https://support.citrix.com/article/CTX319818
- Citrix Profile Management WMI Plugin x86 - https://support.citrix.com/article/CTX319670
Customers who have installed both affected components should install all applicable hotfixes. Customers who have only installed one of the affected components should install the hotfix that applies to the component they have installed.
Citrix recommends that customers install any applicable hotfixes on affected Windows VDAs as soon as possible.
This issue will also be addressed in any future versions of Citrix Virtual Apps and Desktops and Citrix XenApp / XenDesktop.Acknowledgements
What Citrix is Doing
Obtaining Support on This Issue
Subscribe to Receive Alerts
Reporting Security Vulnerabilities to Citrix
Disclaimer
Changelog
Date |
Change |
2021-07-13 |
Initial Publication |
2021-07-13 |
Additional hotfixes added |
2021-07-16 | Updated Profile Management hotfixes for 1912 LTSR (3002) |
2021-07-23 | Added mitigation advice and clarification for 7.6 LTSR |
2021-07-28 | Updated Profile Management hotfixes for 1912 LTSR (3003) |