Citrix Virtual Apps and Desktops Security Update
Article ID: CTX319750
Updated On:
Description
A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.
This vulnerability has the following identifier:
| CVE ID | Description | Vulnerability Type | Pre-conditions |
| CVE-2021-22928 | Local privilege escalation on a Windows VDA | CWE-284: Improper Access Control | Authenticated access to a VDA with Citrix Profile Management or Citrix Profile Management WMI Plugin installed |
The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops and XenApp / XenDesktop:
- Citrix Virtual Apps and Desktops 2106 and earlier Current Release (CR) versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU3 and earlier versions of 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR CU7 and earlier versions of 7.15 LTSR
Citrix Virtual Apps and Desktops 2106 is only affected when Citrix Profile Management is installed on a Windows VDA as Citrix Profile Management WMI Plugin is not affected in this version.
Please note that Citrix XenApp / XenDesktop 7.6 LTSR has now reached End of Life and is no longer supported except through Citrix Extended Support Program.
Mitigating Factors
Customers are not affected by this issue if they have disabled Windows Installer on Windows VDAs by configuring the Group Policy setting:
Computer Configuration\Administrative templates\Windows components\windows installer\Turn off Windows Installer
to Enabled - Always.
Instructions
Citrix has released hotfixes to address the vulnerability in the following supported versions:
Citrix Virtual Apps and Desktops 2106
- Citrix Profile Management x86 - https://support.citrix.com/article/CTX319995
- Citrix Profile Management x64 - https://support.citrix.com/article/CTX319996
Citrix Virtual Apps and Desktops 1912 LTSR
- Citrix Profile Management x64 (3003) - https://support.citrix.com/article/CTX322394
- Citrix Profile Management WMI Plugin x64 - https://support.citrix.com/article/CTX319668
- Citrix Profile Management x86 (3003) - https://support.citrix.com/article/CTX322395
- Citrix Profile Management WMI Plugin x86 - https://support.citrix.com/article/CTX319671
Citrix XenApp / XenDesktop 7.15 LTSR
- Citrix Profile Management x64 - https://support.citrix.com/article/CTX319817
- Citrix Profile Management WMI Plugin x64 - https://support.citrix.com/article/CTX319669
- Citrix Profile Management x86 - https://support.citrix.com/article/CTX319818
- Citrix Profile Management WMI Plugin x86 - https://support.citrix.com/article/CTX319670
Customers who have installed both affected components should install all applicable hotfixes. Customers who have only installed one of the affected components should install the hotfix that applies to the component they have installed.
Citrix recommends that customers install any applicable hotfixes on affected Windows VDAs as soon as possible.
This issue will also be addressed in any future versions of Citrix Virtual Apps and Desktops and Citrix XenApp / XenDesktop.Acknowledgements
Citrix would like to thank Lasse Trolle Borup of Improsec A/S for working with us to protect Citrix customers.Additional Information
|
Date |
Change |
|
2021-07-13 |
Initial Publication |
|
2021-07-13 |
Additional hotfixes added |
| 2021-07-16 | Updated Profile Management hotfixes for 1912 LTSR (3002) |
| 2021-07-23 | Added mitigation advice and clarification for 7.6 LTSR |
| 2021-07-28 | Updated Profile Management hotfixes for 1912 LTSR (3003) |
