PT-2020-6864 · Citrix+1 · Citrix Virtual Apps/Desktops+1

Published

2020-11-10

Updated

2020-12-03

CVE-2020-8269

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Citrix Virtual Apps and Desktops (CVAD) versions prior to 2009 Citrix Virtual Apps and Desktops (CVAD) versions 1912 LTSR CU1 before hotfixes CTX285870 and CTX286120 Citrix Virtual Apps and Desktops (CVAD) versions 7.15 LTSR CU6 before hotfix CTX285344 Citrix Virtual Apps and Desktops (CVAD) versions 7.6 LTSR CU9

Description The issue is related to insufficient access control in the Virtual Delivery Agent (VDA) of Citrix Virtual Apps and Desktops (CVAD) when used in multi-session mode on Windows operating systems. This can allow a remote attacker to elevate privileges and execute arbitrary commands.

Recommendations For CVAD versions prior to 2009, apply the latest security updates to fix the issue. For CVAD versions 1912 LTSR CU1, apply hotfixes CTX285870 and CTX286120. For CVAD versions 7.15 LTSR CU6, apply hotfix CTX285344. For CVAD versions 7.6 LTSR CU9, update to a newer version that includes the security fix.

Fix

Improper Privilege Management

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-78

Related Identifiers

BDU:2023-02352

CVE-2020-8269

Affected Products

Citrix Virtual Apps/Desktops

Windows

PT-2020-6864 · Citrix+1 · Citrix Virtual Apps/Desktops+1

CVE-2020-8269

Weakness Enumeration

Related Identifiers

Affected Products

References · 5