Lucene search

K
citrixCitrixCTX477616
HistoryFeb 14, 2023 - 4:01 p.m.

Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483

2023-02-1416:01:58
support.citrix.com
60
citrix virtual apps and desktops
windows vda
privilege escalation
vulnerability
nt authority\system
cwe-269
cr
ltsr
citrix virtual apps and desktops service

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0

Percentile

5.1%

A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.

The vulnerability has been given the following identifier:

CVE ID Description Vulnerability Type Pre-conditions
CVE-2023-24483 Privilege Escalation to NT AUTHORITY\SYSTEM on the vulnerable VDA CWE-269: Improper Privilege Management Local access to a Windows VDA as a standard Windows user

The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops:

Current Release (CR)

  • Citrix Virtual Apps and Desktops versions before 2212

Long Term Service Release (LTSR)

  • Citrix Virtual Apps and Desktops 2203 LTSR before CU2
  • Citrix Virtual Apps and Desktops 1912 LTSR before CU6

In addition, customers using Citrix Virtual Apps and Desktops Service using any of the vulnerable versions of Citrix Virtual Apps and Desktops Windows VDA are affected and need to take action.

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0

Percentile

5.1%