[German]Citrix is warning users since September 2022 about a vulnerability in its Citrx Workspace app. There are reports that Citrix SSON stored passwords in the process memory can be retrieved at the user level. Updates are provided in the December 2, 2022 update to close the vulnerability. However, it looks like the information is still accessible for administrator accounts.
Advertising
I came across this issue via the following tweet, which Citirx discloses in the support post Impact of Citrix SSO storing sensitive information in user-level process memory.
Citrix seems to have received reports on Twitter claiming that users are able to retrieve passwords stored in Citrix SSON in process memory at the user level via a new Mimikatz module. After analysis, the vendor qualifies that this vulnerability probably only exists in the Citrix Workspace app for Windows if SSON (SIngle Sign On) has been enabled there on a device registered in the domain.
Citrix has released updated versions of the Citrix Workspace app for Windows with fixes that protect standard users from stealing passwords from the user-level process store without administrator privileges.
- CWA 2210.5: Citrix Workspace app 2210.5 for Windows
- CWA 2203 LTSR CU2: Citrix Workspace app 22.03.2000 for Windows, LTSR Cumulative Update 2
- CWA 1912 LTSR CU7 Hotfix: Hotfix – Citrix Workspace app for Windows 1912 LTSR CU7 Hotfix 2 (19.12.7002) – English
Citrix also recommends that its customers consider using Windows AppLocker and/or only run trusted software on their systems to mitigate any potential risk.
Advertising
Benjamin Delpy points out in this tweet that an administrator can still retrieve all passwords with the current Mimikatz version.
