CVE-2020-8283
published 2020-12-14CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
2.57%
83.2th percentile
An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | citrix_xenapp | — | — |
| citrix | virtual_apps_and_desktops | <= 2006 | — |
| citrix | virtual_apps_and_desktops | 1903 – 1912 | — |
| citrix | xenapp | < 7.6 | 7.6 |
| citrix | xenapp | — | — |
| citrix | xenapp | — | — |
| citrix | xenapp | — | — |
| citrix | xenapp | >= 7.7 < 7.15 | 7.15 |
| citrix | xendesktop | < 7.6 | 7.6 |
| citrix | xendesktop | — | — |
| citrix | xendesktop | — | — |
| citrix | xendesktop | — | — |
| citrix | xendesktop | >= 7.7 < 7.15 | 7.15 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2020-8283 targets Citrix Universal Print Server (UPS) on Windows hosts; look for privilege escalation to SYSTEM originating from an authenticated user process on hosts running UPS ↗
- →Pre-condition for exploitation is write access to the C:\ root directory by the attacking user; monitor for unexpected file writes to C:\ by non-administrative authenticated users on UPS hosts ↗
- →Vulnerability class is CWE-269 (Improper Privilege Management); correlate SYSTEM-level process creation events whose parent process is owned by a low-privileged user on Universal Print Server hosts ↗
- ·Affected versions include Citrix Virtual Apps and Desktops 2006 and earlier, 1912 LTSR CU1 and earlier, XenApp/XenDesktop 7.15 LTSR CU6 and earlier, and 7.6 LTSR CU8 and earlier; detection efforts should be scoped to hosts running these versions with Universal Print Server installed ↗
- ·The fix for CVE-2020-8283 specifically is delivered via hotfix CTX286120 for Citrix Universal Print Server on 1912 CU1, and via 7.6 LTSR CU9 or CVAD 2009; unpatched UPS installations remain exploitable ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Citrix
CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2
vendor_citrix·2020-12-14·CVSS 8.8
CVE-2020-8283 [HIGH] CWE-269 CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2
CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9.
Citrix
Citrix Virtual Apps and Desktops Security Update
vendor_citrix·2020-11-25·CVSS 8.8
CVE-2020-8269 [HIGH] CWE-269 Citrix Virtual Apps and Desktops Security Update
Citrix Virtual Apps and Desktops Security Update
of Problem Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in: An authenticated user of a multi-session Windows VDA, who has been granted permission to write to c:\ root directory, being able to escalate their privilege level on that VDA to SYSTEM An authenticated user of a Windows VDA with Citrix App-V service installed being able to escalate their privilege level on that VDA to SYSTEM An authenticated SMB user, who has connected to a Windows VDA with Citrix App-V Service installed and Windows file sharing (SMB) enabled, being able to remotely compromise that VDA A user of a Windows host running Citrix Universal Print Server (UPS), who has been granted permission to write to c:\ roo
GHSA
GHSA-9x7w-7fh3-wph9: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2
ghsa_unreviewed·2022-05-24
CVE-2020-8283 [HIGH] CWE-269 GHSA-9x7w-7fh3-wph9: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2
An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9.
VulnCheck
Citrix virtual_apps_and_desktops Improper Privilege Management
vulncheck·2020·CVSS 8.8
CVE-2020-8283 [HIGH] Citrix virtual_apps_and_desktops Improper Privilege Management
Citrix virtual_apps_and_desktops Improper Privilege Management
An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9.
Affected: Citrix virtual_apps_and_desktops
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-12-14
Published
Exploited in the wild