Description of Problem
A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.
The vulnerability has been given the following identifier:
CVE ID |
Description |
Vulnerability Type |
Pre-conditions |
CVE-2023-24483 |
Privilege Escalation to NT AUTHORITY\SYSTEM on the vulnerable VDA |
CWE-269: Improper Privilege Management |
Local access to a Windows VDA as a standard Windows user |
The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops:
Current Release (CR)
- Citrix Virtual Apps and Desktops versions before 2212
Long Term Service Release (LTSR)
- Citrix Virtual Apps and Desktops 2203 LTSR before CU2
- Citrix Virtual Apps and Desktops 1912 LTSR before CU6
In addition, customers using Citrix Virtual Apps and Desktops Service using any of the vulnerable versions of Citrix Virtual Apps and Desktops Windows VDA are affected and need to take action.
What Customers Should Do
Recent versions of Citrix Virtual Apps and Desktops contain fixes for this vulnerability:
- Citrix Virtual Apps and Desktops 2212 and later versions
- Citrix Virtual Apps and Desktops 2203 LTSR CU2 and later cumulative updates
- Citrix Virtual Apps and Desktops 1912 LTSR CU6 and later cumulative updates
Citrix strongly recommends that customers upgrade to a version of Virtual Apps and Desktops that contains the fixes as soon as possible.
The latest versions of Citrix Virtual Apps and Desktops are available from the following Citrix website location:
https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/
Acknowledgements
What Citrix is Doing
Obtaining Support on This Issue
Subscribe to Receive Alerts
Reporting Security Vulnerabilities to Citrix
Disclaimer
Changelog
Date | Change |
2023-02-14 | Initial publication |