- 136/2023
- Critical
Citrix has released security updates to address several vulnerabilities in CVAD, Citrix DaaS, and ShareFile StorageZones Controller.
The addressed vulnerabilities could allow the remote attacker to bypass security restrictions, and obtain administrative access by sending a specially crafted request to the affected system.
The addressed vulnerabilities:
1. ShareFile StorageZones Controller Vulnerability (CVE-2023-24489):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
2. Citrix Virtual Apps, Desktops, and Linux Virtual Delivery Agent Vulnerability (CVE-2023-24490):
- CVSS: 6.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Bypass Security
Sample of the affected products:
- Citrix Linux Virtual Delivery Agent versions before 2305.
- Citrix Virtual Apps and Desktops 2203 LTSR before CU3.
- Citrix Virtual Apps and Desktops 1912 LTSR before CU7.
- All versions of customer-managed ShareFile storage zones controller before version 5.11.24.
Vulnerabilities
- CVE-2023-24489
- CVE-2023-24490
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.