cbcvebase.
CVE-2020-8283
published 2020-12-14

CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
2.57%
83.2th percentile
An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9.

Affected

15 ranges
VendorProductVersion rangeFixed in
citrixcitrix_virtual_apps_and_desktops
citrixcitrix_xenapp
citrixvirtual_apps_and_desktops<= 2006
citrixvirtual_apps_and_desktops1903 – 1912
citrixxenapp< 7.67.6
citrixxenapp
citrixxenapp
citrixxenapp
citrixxenapp>= 7.7 < 7.157.15
citrixxendesktop< 7.67.6
citrixxendesktop
citrixxendesktop
citrixxendesktop
citrixxendesktop>= 7.7 < 7.157.15
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2020-8283 targets Citrix Universal Print Server (UPS) on Windows hosts; look for privilege escalation to SYSTEM originating from an authenticated user process on hosts running UPS
  • Pre-condition for exploitation is write access to the C:\ root directory by the attacking user; monitor for unexpected file writes to C:\ by non-administrative authenticated users on UPS hosts
  • Vulnerability class is CWE-269 (Improper Privilege Management); correlate SYSTEM-level process creation events whose parent process is owned by a low-privileged user on Universal Print Server hosts
  • ·Affected versions include Citrix Virtual Apps and Desktops 2006 and earlier, 1912 LTSR CU1 and earlier, XenApp/XenDesktop 7.15 LTSR CU6 and earlier, and 7.6 LTSR CU8 and earlier; detection efforts should be scoped to hosts running these versions with Universal Print Server installed
  • ·The fix for CVE-2020-8283 specifically is delivered via hotfix CTX286120 for Citrix Universal Print Server on 1912 CU1, and via 7.6 LTSR CU9 or CVAD 2009; unpatched UPS installations remain exploitable

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.