CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
12.6%
A vulnerability has been identified that could result in a local user escalating their privilege level to SYSTEM on the computer running Citrix Workspace app for Windows.
The vulnerability has the following identifier: CVE ID | Description | Vulnerability Type | Pre-conditions |
---|---|---|---|
CVE-2021-22907 | Local privilege Escalation | CWE-284: Improper Access Control | Local user access to a system where Citrix Workspace App for Windows has been installed by an account with administrator privileges |
This vulnerability affects all supported versions of Citrix Workspace app for Windows but does not affect Citrix Workspace app on any other platforms. Citrix Workspace app downloaded from Windows Store is also not affected by this issue.
This vulnerability only exists if Citrix Workspace app was installed using an account with local or domain administrator privileges. It does not exist when a standard Windows user installed Citrix Workspace app for Windows.
Users with automatic updates enabled will automatically be updated to a fixed version.
The issue has been addressed in the following versions of Citrix Workspace app for Windows:
The latest version of Citrix Workspace app for Windows is available from the following Citrix website location:
<https://www.citrix.com/downloads/workspace-app/windows/>
The latest LTSR version of Citrix Workspace app for Windows is available from the following Citrix website location:
<https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/>.
Citrix would like to thank Sai Cheng of Syclover Security Team for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <http://support.citrix.com/>.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <https://www.citrix.com/en-gb/support/open-a-support-case/>.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – <https://www.citrix.com/about/trust-center/vulnerability-process.html>
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.
Date | Change |
---|---|
2021-05-11 | Initial Publication |
2021-05-11 | CVE ID Corrected |
2021-05-18 |
Acknowledgements amended.
Added clarification that versions installed by using an account with administrator privileges are vulnerable
2021-05-19| Added clarification that Citrix Workspace App in Windows Store
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
12.6%