Security News > 2020 > July > Stick that in your named pipe and smoke it: Flaw in Citrix Workspace app could let remote attacker pwn host
Research outfit Pen Test Partners has uncovered a vulnerability in the Citrix Workspace app potentially allowing a privilege escalation to lead to full remote compromise of the host machine.
The flaw, CVE-2020-8207, sees Workspace app's automatic update feature abused to gain access to a vulnerable Workspace app installation, with the attack vector being a named pipe.
The hole has been patched and users of Citrix Workspace app should install the latest version sooner rather than later.
While Citrix asserted that the vuln only affects Workspace app installations installed by either a local or domain admin any flaw in a widely used remote-working tool, in this day and age, is going to catch the world's eye rather quickly.
PTP's Ceri Coburn figured out how to leverage Workspace app's automatic update checker through a combination of named pipes and spoofed client process IDs, thereby fooling the Workspace app update service into running arbitrary code as SYSTEM. Coburn wrote in a detailed blog post: "Whilst a low privilege account is required to perform the attack, environments that do not implement SMB signing are particularly vulnerable since an attack can be achieved without knowing valid credentials through NTLM credential relaying."
News URL
https://go.theregister.com/feed/www.theregister.com/2020/07/21/citrix_workspace_app_vuln/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-24 | CVE-2020-8207 | Improper Authentication vulnerability in Citrix Workspace 1912/2002 Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. | 8.8 |