Hello and welcome to the Tuesday, November 19th, 2024 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich and the time I'm recording from Singapore.

Late last week, Watchtower Labs did release details regarding two so far unpatched vulnerabilities in Citrix's virtual apps

and desktops.

The reason for this particular product to exist is that it essentially allows a solution

to remotely access desktop applications, and often this is used for remote workers in order

to allow them access to these applications without actually exposing any data on

these remote desktops to the remote workers machine to better protect the

confidentiality of the data on this virtual desktop.

One feature provided by the solution is the ability also to record any desktop sessions.

That is, for example, useful for support, where support wants to see what exactly happened on a particular user system, but also just to monitor what remote workers are.

The vulnerability that Watchtower found is related to the ability to then review these remote sessions.

One of the functions being used here is susceptible to deseraturalization

vulnerability. Well, that vulnerability apparently can be exploited without even authenticating

to the system. What we see now is that this particular vulnerability is actively being exploited.

We saw a good number of exploit attempts hit a particular honeypot of hours.

The code they're trying to execute is very typical.

It's basically trying to download additional malware apparently from a remote site.

I wasn't able to retrieve the actual

malware that was being offered here. I'm just getting a 404. It's possible that the attacker

actually doesn't have a file there, but it's just looking for any IP addresses that are reaching

out to this particular URL. Citrix also just released a patch for this vulnerability.

...