Citrix servers are hacked via a new method; hackers exploit old CVE-2020-8207 flaw

A critical vulnerability has been revealed in Citrix Workspace whose exploit would allow threat actors to scale privileges and execute arbitrary commands in the SYSTEM account. Identified as CVE-2020-8207, this flaw resides in the Workspace for Windows auto-update service.

In addition to escalating privileges, malicious hackers could also compromise a computer running the application when SMB file sharing is enabled, as mentioned in the security report published by Pentest Partners and shared with ThreatPost.

Although the flaw was fixed in recent months, experts recently discovered that threat actors were still able to abuse MSI installers (the file name extension of Company-signed Windows packages), making this flaw a remote command injection vulnerability.  

Previously the update service was based on a faulty file hash within a JSON payload that determines whether an update should continue or not, allowing threat actors to download their own code by abusing exposed hashing. To prevent this, the latest updates are downloaded directly from Citrix update servers, cross-referenced with the file requested to install from the UpdateFilePath attribute, the report mentions.

However, the patch released by Citrix does not prevent remote connectivity to mitigate the risk of attack. When analyzing the installer code, the researchers detected that the application verifies the requested file extension for the upgrade; if you end up with MSI, it is identified as a Windows Installer, which prevents you from installing arbitrary MSI files directly.  

Although these MSI files have multiple security measures, MSI Transforms merge supports altering or transforming the MSI database prior to installation, which could allow the creation of an MST capable of injecting code before activation.  

According to experts, these malicious transformations can be created with a tool called Microsoft Orca or using other custom tools, plus an attack would require the original installer on a network share ready to access the compromised machine.

For security, Citrix Workspace users are encouraged to upgrade to the latest version available to prevent mitigation risks.