- WARNING: Citrix Receiver/ Citrix Workspace app below version.1063, is no more supported! Please download and install Citrix Workspace app 19.12 LTSR to continue to use your Citrix hosted applications. If you are using MyPlace Anywhere, please upgrade the HDX realtime Media Engine As well.
- Citrix Gatewayto Workspace forWeb (browser) Citrix Gatewayto StoreFront Servicessite (native) Anonymous Yes Yes Domain Yes Yes Yes Yes. Yes. Domain pass-through Yes Yes Yes Security token Yes. Yes. Two-factor authentica-tion(domain withsecurity token) Yes. Yes. SMS Yes. Yes. Smartcard Yes Yes Yes Yes User certificate Yes(Citrix Gateway plug-in.
- Citrix Workspace App 1912 LTSR CU1 Hotfix 1 and later cumulative updates Note that these versions have been updated since the original publication of this bulletin. Citrix strongly recommends that customers check if the version they are running has been automatically updated and, if necessary, upgrade to a fixed version as soon as.
- Lifecycle Milestones For Citrix Workspace App
- Citrix Workspace App 19.12 Linux
- Citrix Workspace App For Windows
Applicable Products
Description of Problem
Navigate the list of applications until you find Citrix Workspace(DV) or simply activate the Search field and type in 'Citrix Workspace(DV)'. If it is installed on your PC the Citrix Workspace(DV) app will be found automatically. For your convenience, consider subscribing to the Citrix Workspace app RSS feed to receive a notification when a new version of Citrix Workspace app becomes available. Citrix Virtual Apps and Desktops 7 1912 LTSR CU2 notable exclusions. The following features, components, and platforms are not eligible for 1912 LTSR lifecycle milestones.
A vulnerability has been identified in the automatic update service of Citrix Workspace app for Windows that could result in:
A local user escalating their privilege level to that of an administrator on the computer running Citrix Workspace app for Windows.
A remote compromise of the computer running Citrix Workspace app when Windows file sharing (SMB) is enabled.
The issue has the following identifier:
CVE-2020-8207
This vulnerability affects the following supported versions of Citrix Workspace app for Windows:
- Citrix Workspace app 2002, 2006 and 2006.1 for Windows
- Citrix Workspace app 1912 LTSR for Windows (before CU1 Hotfix 1)
Note that this vulnerability was originally reported against a subset of the versions above. However, further investigation has discovered potential variant forms of this attack and the affected versions have been amended accordingly.
This vulnerability does not affect Citrix Workspace app on any other platforms or any supported versions of Citrix Receiver.
Mitigating Factors
This vulnerability only exists if Citrix Workspace app was installed using an account with local or domain administrator privileges. It does not exist when a standard Windows user installed Citrix Workspace app for Windows.
A remote compromise is only possible when the user has enabled Windows file sharing (SMB) and only when the updater service is running. If authentication is required for SMB then an attacker must be able to authenticate before they could exploit this issue.
Users with automatic updates enabled and applied should have already been updated to a fixed version.
What Customers Should Do
The issue has been addressed in the following versions of Citrix Workspace app for Windows:
- Citrix Workspace App 2008 or later
- Citrix Workspace App 1912 LTSR CU1 Hotfix 1 (19.12.1001) and later cumulative updates
Note that these versions have been updated since the original publication of this bulletin.
Citrix strongly recommends that customers check if the version they are running has been automatically updated and, if necessary, upgrade to a fixed version as soon as possible.
The latest version of Citrix Workspace app for Windows is available from the following Citrix website location:
The latest LTSR version of Citrix Workspace app for Windows is available from the following Citrix website location:
Acknowledgements
Citrix would like to thank Ceri Coburn at Pen Test Partners for working with us to protect Citrix customers during both the initial disclosure of this issue and subsequent variants.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Lifecycle Milestones For Citrix Workspace App
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html.
Changelog
| Date | Change |
| 2020-07-21 | Initial Publication |
| 2020-09-08 | Revision of fixed versions |
Things have been stable with Citrix Workspace for the last year or so, with zero performance issues. My system upgraded to 19.12.0.23 a few days ago and I've noticed performance lag / beachball is starting again. Not as horrific as the first time we went through this, but it's still significant enough to cause a five second pause in work every three to five minutes of work. I've seen this mostly using Citrix with Cerner applications, but have also seen it with Office 365 applications.
Citrix Workspace 19.12.0.23 (1912)
Citrix Workspace App 19.12 Linux
MacOS Cataline 10.15.2
Citrix Workspace App For Windows
MacBook Pro 2017 Intel Dual Core i5 16Gb RAM with 8Gb free