Security News > 2020 > September > Known Citrix Workspace Bug Open to New Attack Vector
To fix the problem, the latest update catalogs are now directly downloaded from the Citrix update servers, and the service "Cross-references the hashes with the file that is requested for install from the UpdateFilePath attribute," wrote researchers at Pen Test Partners, in a Monday posting.
"If the update file is signed, valid and the hash of the update file matches one of the files within the manifest, the update file is executed to perform the upgrade," they explained.
Since the MSI file is checked for a valid signature and is cross-referenced with the current catalog, attackers can't directly install arbitrary MSI files.
To apply an MST, users would specify the path to the transform file on the command line, which merges the main MSI file with changes that are present within the MST file during the installation process.
Therein lies the bug: "Since we can control the arguments passed to msiexec, we can include the path to a malicious Transform but using an official, signed Citrix MSI that is present within the catalog file," researchers said.