Analysis from the Intruder Security Team
Published Nov 13, 2024
Watchtowr have released a technical article about this vulnerability and its discovery. The details within the article, and poc video call into question the official vulnerability information released by Citrix.
The exploit chain used by Watchtowr relies on sending a HTTP request to the MSMQ which the vulnerable software utilises. By default, MSMQ doesn't operate over HTTP. However, Citrix have enabled a feature which will allow any host to directly communicate to it via HTTP. With this information and the evidence laid out by Watchtowr, it is clear that this is an attack in which an unauthenticated attacker can exploit a vulnerable instance remotely. Thus, this CVSS score should be in the high 9's.
What isn't certain is if the discrepancy in vulnerability details is down to the triager at Citrix not fully understanding the exploit chain, or if it is more malicious whereby another vendor is attempting to downplay the severity of a vulnerability within their software.
Following the release of the proof of concept on the 12th of November 2024, the Shadowserver foundation have witnessed attempts at exploitation.
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:citrix:session_recording:*:*:*:*:-:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FCF54DB8-BBE4-4E48-9037-6FD0E3E3426E",
"versionEndExcluding": "2407"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:-:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7F7F0822-5777-4970-A81F-2FECDE137E53"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu1:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E0A17B51-A720-4DB7-BF84-CE13B9517C91"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu2:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9BE1BBDB-B867-4B8D-AE55-24D09F0D4EF7"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu3:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B4E177A4-F2AF-450F-AC8F-5609E586C654"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu4:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "86C686E6-2980-49B3-8229-09EB8F91EDCE"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu5:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "79E71D63-EB85-4305-8F9D-D1BF7EC71992"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu6:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A46CDA97-3C7C-45B6-890E-9676F059CD88"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu7:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "560A4530-C2D2-4631-A754-6DC97E3F29E9"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:1912:cu8:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A9650D15-919D-4F9E-A54D-9E5174D26B07"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2203:-:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C160123B-9BD5-4B7A-A516-F5A5F97FCC79"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2203:cu1:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3F507C4F-89AE-45DC-A849-44204AD06D09"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2203:cu2:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D40669E2-BE98-420B-98F0-10FBF2EA5E6E"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2203:cu3:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "72923D9A-96C8-40D7-A630-C3C143A7AEA1"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2203:cu4:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "133696EC-56AB-4B77-8CFE-C97550886037"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2203:cu5:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "73477179-3270-419C-9ACC-26E43A8D3E93"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2402:-:*:*:ltsr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "34A32BF4-B379-46D9-AAE6-85680B5ECA42"
},
{
"criteria": "cpe:2.3:a:citrix:session_recording:2407:-:*:*:-:*:*:*",
"vulnerable": true,
"matchCriteriaId": "272D5CE4-4A2F-4417-A274-711FF4115907"
}
],
"operator": "OR"
}
]
}
]