CVE-2020-8270
published 2020-11-16CVE-2020-8270: An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
3.34%
87.1th percentile
An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285871 and CTX285872, 7.15 LTSR CU6 hotfix CTX285341 and CTX285342
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | citrix_xenapp | — | — |
| citrix | virtual_apps_and_desktops | <= 2006 | — |
| citrix | virtual_apps_and_desktops | 1903 – 1912 | — |
| citrix | xenapp | — | — |
| citrix | xendesktop | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2020-8270 is exploitable when Citrix App-V Service is installed on the VDA; detection should focus on unexpected SYSTEM-level process spawning from the App-V service process on Windows VDAs ↗
- →Monitor for OS command injection attempts (CWE-78) originating from the Citrix App-V Service on VDAs, particularly commands executing as SYSTEM from non-privileged user sessions ↗
- →Alert on SMB-authenticated remote connections to Windows VDAs that subsequently trigger SYSTEM-level command execution, as SMB users can exploit this remotely when App-V Service and Windows file sharing are both enabled ↗
- ·CVE-2020-8270 only affects VDAs where Citrix App-V Service is installed; VDAs without App-V Service are not vulnerable to this specific CVE ↗
- ·Citrix XenApp/XenDesktop 7.6 LTSR is explicitly NOT affected by CVE-2020-8270, only by the other CVEs in this advisory ↗
- ·Affected versions include Citrix Virtual Apps and Desktops 2006 and earlier, 1912 LTSR CU1 and earlier, and XenApp/XenDesktop 7.15 LTSR CU6 and earlier; fixed in CVAD 2009+, 1912 LTSR CU1 hotfixes CTX285871/CTX285872, and 7.15 LTSR CU6 hotfixes CTX285341/CTX285342 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5rfq-7599-rxw9: An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 h
ghsa_unreviewed·2022-05-24
CVE-2020-8270 [HIGH] CWE-78 GHSA-5rfq-7599-rxw9: An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 h
An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285871 and CTX285872, 7.15 LTSR CU6 hotfix CTX285341 and CTX285342
VulnCheck
Citrix virtual_apps_and_desktops Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 8.8
CVE-2020-8270 [HIGH] Citrix virtual_apps_and_desktops Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Citrix virtual_apps_and_desktops Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285871 and CTX285872, 7.15 LTSR CU6 hotfix CTX285341 and CTX285342
Affected: Citrix virtual_apps_and_desktops
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/
Citrix
Citrix Virtual Apps and Desktops Security Update
vendor_citrix·2020-11-25·CVSS 8.8
CVE-2020-8269 [HIGH] CWE-269 Citrix Virtual Apps and Desktops Security Update
Citrix Virtual Apps and Desktops Security Update
of Problem Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in: An authenticated user of a multi-session Windows VDA, who has been granted permission to write to c:\ root directory, being able to escalate their privilege level on that VDA to SYSTEM An authenticated user of a Windows VDA with Citrix App-V service installed being able to escalate their privilege level on that VDA to SYSTEM An authenticated SMB user, who has connected to a Windows VDA with Citrix App-V Service installed and Windows file sharing (SMB) enabled, being able to remotely compromise that VDA A user of a Windows host running Citrix Universal Print Server (UPS), who has been granted permission to write to c:\ roo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-11-16
Published
Exploited in the wild