A new zero-day vulnerability in Citrix’s Session Recording Manager can be exploited to enable unauthenticated remote code execution (RCE) against Citrix Virtual Apps and Desktops, according to watchTowr.
The attack surface management provider investigated the architecture behind Citrix’s Session Recording Manager, a feature that provides a record of user activity to help with audits, detecting unusual behavior and troubleshooting problems.
How Citrix’s Session Recording Manager Works
Citrix’s Session Recording Manager captures user activity, recording keyboard and mouse input, along with the video stream of the desktop’s reaction.
The research highlights how Citrix’s Session Recording Storage Manager efficiently manages recorded session files from Session Recording-enabled computers. To facilitate this, it receives session recordings in the form of message bytes via Microsoft Message Queuing (MSMQ), allowing seamless data transfer from individual computers to centralized storage.
This system is essential for tracking user activity in secure and regulated environments, ensuring recording data flows smoothly into the storage infrastructure.
To maintain data integrity, the Storage Manager must handle incoming messages swiftly, matching the speed at which they are sent by the Session Recording agent. Since the message queue handles data transmission across different processes and potentially separate machines, the system relies on serialization. This process converts data into a standardized format, enabling the receiving systems to interpret and store each recording accurately.
Exposed Microsoft Message Queuing Instance and Insecure BinaryFormatter
However, the watchTowr report also shows how the combination of a carelessly exposed MSMQ service instance that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE.
BinaryFormatter is a .NET class created by Microsoft. It is used for serializing and deserializing objects into a binary format, making it possible to convert complex objects into a byte stream that can be stored or transmitted and reassembled.
However, Microsoft said in an August 2024 blog post that BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category.
“BinaryFormatter is insecure and can't be made secure. Applications should stop using [it] as soon as possible, even if they believe the data they're processing to be trustworthy,” Microsoft added.
At the time of publication, Citrix did not share the version number for patches or CVE identifiers for the above vulnerabilities.
However, a watchTowr spokesperson told Infosecurity that Citrix was aware of the vulnerability. “They agree this is serious. It is likely they have allocated, but they haven't shared the identifier with watchTowr yet,” the spokesperson added.