- 306/2024
- High
Citrix has released security updates to address several vulnerabilities affecting multiple Citrix products including a zero-day vulnerability.
The addressed vulnerabilities could allow the attacker to gain elevated privileges, perform denial of service attacks, or execute arbitrary code and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Citrix Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2024-8534):
- CVSS: 8.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
2. Citrix Expected Behavior Violation Vulnerability (CVE-2024-8535):
- CVSS: 5.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
The Affected Products:
- Citrix Session Recording.
- Citrix NetScaler ADC.
- Citrix NetScaler Gateway.
- Citrix XenServer.
- Citrix Hypervisor.
It should be highlighted that security researchers disclosed a proof-of-concept (PoC) exploit that exists in the wild for CVE-2024-8069.
Vulnerabilities
- CVE-2024-8068
- CVE-2024-8069
- CVE-2024-8534
- CVE-2024-8535
- CVE-2024-45818
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.