The pandemic has seen organizations around the world enable their workers to do business from home and plenty of are utilizing VPN companies to connect with their company networks. Nevertheless, the rising reliance on VPNs has led to elevated curiosity from cybercriminals who want to exploit vulnerabilities present in in style VPN software.
Whereas Cympton safety researcher Chen Erlich just lately found a privilege escalation vulnerability in HotSpot Defend’s Windows shopper, his newest weblog put up exhibits that client VPN distributors aren’t a lone weak level as enterprise VPNs additionally include vulnerabilities that may be exploited by cybercriminals. Actually, Erlich just lately found a number of privilege escalation and elevation of privilege vulnerabilities in Citrix’s extensively used enterprise VPN resolution, Citrix Gateway Plug-In for Windows.
The Citrix Gateway Consumer installs a “Citrix Gateway Service” on a person’s laptop that runs as SYSTEM and this service executes robotically on-boot. When the service runs, it executes a periodic PowerShell script, executed as SYSTEM, each 5 minutes. Nevertheless, as powershell.exe is being invoked by file identify solely, Windows searches by way of quite a few directories to seek out it.
To use this vulnerability, an attacker might create a malicious file, identify it powershell.exe and replica it to each listing they’ve entry to. This is able to enable them to realize elevation of privileges on system’s working the Citrix Gateway Plug-In for Windows.
Privilege escalation vulnerabilities
When PowerShell runs uninterrupted, it verifies saved VPN configurations and writes to a file known as intune.log within the following location: C:\ProgramData\Citrix\AGEE\intune.log. This goal listing has permissive permissions set to Full Management even for unprivileged customers.
When intune.log is about to be written, if Windows finds the intune.log.backup within the present listing, it overwrites it and writes a brand new intune.log file. Nevertheless, if a backup exists as a listing, intune.log will probably be copies to this listing. To use this vulnerability, an attacker with a normal account can create a symlink between the C:\ProgramData\Citrix\AGEE\intune.log.backup\intune.log file and any vacation spot file that SYSTEM can write to. Then when the scheduled privileged PowerShell scrip runs it is going to transfer the intune.log file because the backup is a listing and never a file. Erlich additionally found an AppData privilege escalation that may result in arbitrary file writing and creation.
Based on a safety update from Citrix, Citrix Gateway Plug-in 13.zero for Windows earlier than 64.35, Citrix Gateway Plug-in 12.1 for Windows earlier than 59.16 and Citrix Gateway Plug-in 12.1 for Windows earlier than 55.190 are all affected. Fortunately although, the corporate has already issued fixes for the vulnerabilities found by Erlich which might be discovered right here.
As companies now depend on VPN companies to assist their remote employees, conserving them updated is a necessary step to keep away from falling sufferer to any potential assaults that might exploit identified vulnerabilities.