Research outfit Pen Test Partners has uncovered a vulnerability in the Citrix Workspace app potentially allowing a privilege escalation to lead to full remote compromise of the host machine.
The flaw, CVE-2020-8207 (not yet reserved at the time of publication), sees Workspace app's automatic update feature abused to gain access to a vulnerable Workspace app installation, with the attack vector being a named pipe.
The hole has been patched and users of Citrix Workspace app should install the latest version (2006.1 or 1912 LTSR CU1) sooner rather than later.
While Citrix asserted that the vuln only affects Workspace app installations installed by either a local or domain admin (and not a bog-standard user account) any flaw in a widely used remote-working tool, in this day and age, is going to catch the world's eye rather quickly.
Ken Munro of Pen Test Partners told El Reg: "With the move to remote working, privilege escalation issues in remote desktop systems allow newly remote workers and hackers who have compromised accounts to break out of the secure environment."
PTP's Ceri Coburn figured out how to leverage Workspace app's automatic update checker through a combination of named pipes and spoofed client process IDs, thereby fooling the Workspace app update service into running arbitrary code as SYSTEM.
Coburn wrote in a detailed blog post: "Whilst a low privilege account is required to perform the attack, environments that do not implement SMB signing are particularly vulnerable since an attack can be achieved without knowing valid credentials through NTLM credential relaying."
Turning that into full compromise of the Workspace app's client machine required some very lateral thinking about Microsoft's implementation of named pipes. Coburn wrote: "Another unique feature of pipes allows the server to impersonate the client user," adding that "quite often the server side of a named pipe is implemented within high privilege services."
PTP's Munro concluded: "The remote execution element of the vulnerability could have been avoided completely if the correct permissions were configured on the named pipe. The software update component is designed to run locally, so no remote connectivity is required for it to function." ®