CVE-2020-8269
published 2020-11-16CVE-2020-8269: An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and…
PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
2.57%
83.2th percentile
An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | citrix_xenapp | — | — |
| citrix | virtual_apps_and_desktops | <= 2006 | — |
| citrix | virtual_apps_and_desktops | 1903 – 1912 | — |
| citrix | xenapp | < 7.6 | 7.6 |
| citrix | xenapp | — | — |
| citrix | xenapp | — | — |
| citrix | xenapp | — | — |
| citrix | xenapp | >= 7.7 < 7.15 | 7.15 |
| citrix | xendesktop | < 7.6 | 7.6 |
| citrix | xendesktop | — | — |
| citrix | xendesktop | — | — |
| citrix | xendesktop | — | — |
| citrix | xendesktop | >= 7.7 < 7.15 | 7.15 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target privilege escalation vector: attacker must have write access to the C:\ root directory on a multi-session Windows VDA to escalate to SYSTEM ↗
- →Exploitation results in arbitrary command execution as SYSTEM from an unprivileged/authenticated Windows user on a multi-session VDA — monitor for SYSTEM-level process creation spawned from low-privileged user sessions on Citrix VDAs ↗
- →Vulnerability class is CWE-269 (Improper Privilege Management) on multi-session VDA; look for unexpected SYSTEM-context processes or services launched from authenticated user sessions on Citrix Virtual Apps and Desktops multi-session VDAs ↗
- ·Exploitation requires the attacker to be an authenticated user who has been granted write access to the C:\ root directory; environments where C:\ write access is restricted to privileged users are less exposed ↗
- ·Affected versions include Citrix Virtual Apps and Desktops 2006 and earlier, 1912 LTSR CU1 and earlier, XenApp/XenDesktop 7.15 LTSR CU6 and earlier, and 7.6 LTSR CU8 and earlier; patched versions are 2009+, 1912 LTSR CU1 with hotfixes CTX285870/CTX286120, 7.15 LTSR CU6 with hotfix CTX285344, and 7.6 LTSR CU9 ↗
- ·CVE-2020-8269 specifically affects multi-session Windows VDAs only; single-session VDAs are not mentioned as in scope for this CVE ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x9cq-5m73-v949: An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX2858
ghsa_unreviewed·2022-05-24
CVE-2020-8269 [HIGH] CWE-269 GHSA-x9cq-5m73-v949: An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX2858
An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9
VulnCheck
Citrix virtual_apps_and_desktops Improper Privilege Management
vulncheck·2020·CVSS 8.8
CVE-2020-8269 [HIGH] Citrix virtual_apps_and_desktops Improper Privilege Management
Citrix virtual_apps_and_desktops Improper Privilege Management
An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9
Affected: Citrix virtual_apps_and_desktops
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/
Citrix
Citrix Virtual Apps and Desktops Security Update
vendor_citrix·2020-11-25·CVSS 8.8
CVE-2020-8269 [HIGH] CWE-269 Citrix Virtual Apps and Desktops Security Update
Citrix Virtual Apps and Desktops Security Update
of Problem Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in: An authenticated user of a multi-session Windows VDA, who has been granted permission to write to c:\ root directory, being able to escalate their privilege level on that VDA to SYSTEM An authenticated user of a Windows VDA with Citrix App-V service installed being able to escalate their privilege level on that VDA to SYSTEM An authenticated SMB user, who has connected to a Windows VDA with Citrix App-V Service installed and Windows file sharing (SMB) enabled, being able to remotely compromise that VDA A user of a Windows host running Citrix Universal Print Server (UPS), who has been granted permission to write to c:\ roo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-11-16
Published
Exploited in the wild