Citrix admins advised to install hotfixes to block vulnerabilities

• The exploit is limited to Citrix Session Recording server, which is an optional component of a Citrix Virtual Apps and Desktop Deployment.
• Session Recording Server is typically deployed on a standalone Windows Server. 
• VDA and other Citrix infrastructure components are not impacted.
• It is security best practice that Session Recording Server is installed on a trusted machine inside the corporate network, and cannot be reached from the internet. 
• For the vulnerability reported, the attacker exploits Microsoft MSMQ technology to send malicious objects to the Session Recording server.  This requires the attacker to be on a trusted machine which is the same domain as the Session Recording server. Citrix recommends that customers enable HTTPS integration with Active Directory as the authentication method for communication with MSMQ.
• If exploits were successfully executed on the Session Recording server, they would run in the less privileged Network Service context, not in the System context.  
• Session Recording server can be independently updated from other Citrix components.

‘Emergency’ or ‘celebrity’ issue? It’s unclear, says analyst

The seriousness and the difficulty to exploit the vulnerability depends on whether it can be exploited in unauthenticated session or not, said Erik Nost, a Forrester Research senior analyst; the researchers and Citrix currently disagree on that.

 “The best thing for security pros to understand in scenarios like this is that there are both emergency vulnerabilities (where everything needs to be dropped to respond to) and celebrity vulnerabilities (which can get a lot of attention for news outlets/researchers),” he said. “Often times, a vulnerability is an emergency and celebrity, but that’s not always the case. This one seems to be hitting celebrity status, but its not clear yet if it’s an emergency.”

 This sheds light on the need for organizations to have a critical vulnerability response plan, he said, so that they are prepared for both emergency and celebrity vulnerabilities. Even when a vulnerability is not an emergency, it is best practice to have strong inventory of systems and applications so teams can determine if they are impacted. For a celebrity vulnerability, communications can be prepped to customers/internal teams so everyone knows if there is impact, and the scope of the impact. Emergency response warrants these communications as well, but also the remediation efforts.