CVE-2019-11634
published 2019-05-22CVE-2019-11634: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
8.09%
94.1th percentile
Citrix Workspace App before 1904 for Windows has Incorrect Access Control.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_workspace | — | — |
| citrix | citrix_workspace_app | — | — |
| citrix | receiver | — | — |
| citrix | workspace | < 1904 | 1904 |
| citrix | workspace | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Nefilim ransomware exploits CVE-2019-11634 (Citrix Workspace App / Receiver for Windows incorrect access control) for initial access via Citrix gateway devices; hunt for exploitation of unpatched Citrix remote-access endpoints. ↗
- →CVE-2019-11634 root cause: local drive access preferences not enforced, granting attacker read/write to client local drives enabling code execution; monitor for unexpected drive mapping or file writes via Citrix session. ↗
- →Detect Nefilim lateral movement via PsExec with the service rename flag '-r mstdc' and '-accepteula -nobanner' flags; alert on psexec.exe invocations matching this pattern. ↗
- →Detect UAC bypass via registry modification: monitor for reg add to HKLM\software\Microsoft\Windows\CurrentVersion\Policies\System setting EnableLUA to 0 via remote PsExec. ↗
- →Detect Nefilim data exfiltration stage: monitor for MegaSync installation and 7zip binary drops followed by large outbound transfers. ↗
- →Detect Nefilim self-deletion: alert on cmd.exe spawning 'timeout /t 3 /nobreak' followed by 'del ... /s /f /q' targeting an executable in user download paths. ↗
- ·CVE-2019-11634 affects Citrix Workspace app for Windows prior to version 1904 AND Receiver for Windows LTSR 4.9 CU6 versions earlier than 4.9.6001 only; no other platforms are affected. ↗
- ·Applying the security patch may break Single Sign-on (SSO) for browsers other than Internet Explorer unless explicitly reconfigured post-fix. ↗
- ·CVE-2019-11634 is listed in CISA KEV with known ransomware campaign use (Nefilim); remediation was due by 2022-05-03 per CISA directive. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2019-11634 [CRITICAL] Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability
Vulnerability: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability
Affected: Citrix Workspace Application and Receiver for Windows
Citrix Workspace Application and Receiver for Windows contains remote code execution vulnerability resulting from local drive access preferences not being enforced into the clients' local drives.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-11634
Remediation Due Date: 2022-05-03
Citrix
CVE-2019-11634: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.
vendor_citrix·2019-05-22·CVSS 9.8
CVE-2019-11634 [CRITICAL] CWE-284 CVE-2019-11634: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.
CVE-2019-11634: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.
CISA KEV: Citrix Workspace Application and Receiver for Windows contains remote code execution vulnerability resulting from local drive access preferences not being enforced into the clients' local drives.
Required Action: Apply updates per vendor instructions.
Known ransomware campaign use.
Citrix
CVE-2019-11634 - Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows
vendor_citrix·CVSS 9.8
CVE-2019-11634 [CRITICAL] CVE-2019-11634 - Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows
CVE-2019-11634 - Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows
of Problem A vulnerability has been identified in Citrix Workspace app and Receiver for Windows that could result in local drive access preferences not being enforced allowing an attacker read/write access to the clients local drives which could enable code execution on the client device. This vulnerability has been assigned the following CVE number: • CVE-2019-11634: Remote Code Execution Vulnerability in Citrix Workspace app for Windows prior to version 1904 and Receiver for Windows to LTSR 4.9 CU6 version earlier than 4.9.6001. This vulnerability affects all versions of Citrix Workspace app for Windows and Receiver for Windows the fix is contained in Citrix Workspace app version 1904 o
Citrix
CVE-2019-11634 - Improper Access Control Vulnerability in AppDNA
vendor_citrix·CVSS 9.8
CVE-2019-11634 [CRITICAL] CVE-2019-11634 - Improper Access Control Vulnerability in AppDNA
CVE-2019-11634 - Improper Access Control Vulnerability in AppDNA
of Problem A vulnerability has been identified in AppDNA that could result in access controls not being enforced when accessing the web console potentially allowing privilege escalation and remote code execution. This vulnerability has been assigned the following CVE number: • CVE-2019-12292: Improper Access Control in AppDNA prior to version 7 1906.1.0.472. This vulnerability is present in all versions of AppDNA up to and including 7.18
CVE References: CVE-2019-11634, CVE-2019-12292
Affected Products: XenServer
Severity: High
Remediation:
This vulnerability has been addressed in AppDNA version 7 1906.1.0.472 and above. Citrix recommends that customers upgrade AppDNA to version 7 1906.1.0.472 and above, and configure IIS a
GHSA
GHSA-cqg8-w8fp-8gm6: Citrix Workspace App before 1904 for Windows has Incorrect Access Control
ghsa_unreviewed·2022-05-24
CVE-2019-11634 [CRITICAL] CWE-284 GHSA-cqg8-w8fp-8gm6: Citrix Workspace App before 1904 for Windows has Incorrect Access Control
Citrix Workspace App before 1904 for Windows has Incorrect Access Control.
VulnCheck
Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-11634 [CRITICAL] Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability
Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability
Citrix Workspace Application and Receiver for Windows contains remote code execution vulnerability resulting from local drive access preferences not being enforced into the clients' local drives.
Affected: Citrix Workspace Application and Receiver for Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/; https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/p
No detection rules found.
No public exploits indexed.
Qualys
Nefilim Ransomware
blogs_qualys·2021-05-12·CVSS 9.8
[CRITICAL] Nefilim Ransomware
## Table of Contents
About Nefilim Ransomware
Technical Details
High-Profile Attacks Taking a Toll
Mitigation or Additional Important Safety Measures
Nefilim TTP Map
Indicators of Compromise (IOCs)
References
Over the past year there has been a rise in extortion malware that focuses on stealing sensitive data and threatening to publish the data unless a ransom is paid. This technique bypasses some of the mitigations put in place, such as backups, which would allow IT organizations to recover data without having to pay such a ransom. One of the more popular ransomware families over the last few months to switch to this extortion tactic was Nefilim.
## About Nefilim Ransomware
Nefilim ransomware emerged in March 2020 when Nemty operators quit the ransomware as a service model to co
Qualys
Nefilim Ransomware: Tactics, Impact, and Mitigation Strategies | Qualys
blogs_qualys·2021-05-12·CVSS 9.8
[CRITICAL] Nefilim Ransomware: Tactics, Impact, and Mitigation Strategies | Qualys
#### Table of Contents
- About Nefilim Ransomware
- Technical Details
- High-Profile Attacks Taking a Toll
- Mitigation or Additional Important Safety Measures
- Nefilim TTP Map
- Indicators of Compromise (IOCs)
- References
Over the past year there has been a rise in extortion malware that focuses on stealing sensitive data and threatening to publish the data unless a ransom is paid. This technique bypasses some of the mitigations put in place, such as backups, which would allow IT organizations to recover data without having to pay such a ransom. One of the more popular ransomware families over the last few months to switch to this extortion tactic was Nefilim.
## About Nefilim Ransomware
Nefilim ransomware emerged in March 2020 when Nemty operators quit the ransomware as a service m
https://support.citrix.com/article/CTX251986https://support.citrix.com/v1/search?searchQuery=%22%22&lang=en&sort=cr_date_desc&prod=&pver=&ct=Security+Bulletinhttps://support.citrix.com/article/CTX251986https://support.citrix.com/v1/search?searchQuery=%22%22&lang=en&sort=cr_date_desc&prod=&pver=&ct=Security+Bulletinhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11634
2019-05-22
Published
2021-11-03
Added to CISA KEV
Exploited in the wild