<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Virsec Security Research Lab

CVE-2020-8270 Command Injection in Citrix VDA or SMB

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in:

  • A user of a multi-session Windows VDA being able to escalate their privilege level on that VDA to SYSTEM.

  • Remote compromise of a Windows VDA that has Citrix App-V Service installed and Windows file sharing (SMB) enabled.

  • A user on a Windows host that is running Citrix Universal Print Server (UPS) being able to escalate their privilege level on that computer to SYSTEM.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base score of this vulnerability has not yet been assigned.

Affected Version

  • Citrix Virtual Apps and Desktops 2006 and earlier versions

  • Citrix Virtual Apps and Desktops 1912 LTSR CU1 and earlier versions of 1912 LTSR

  • Citrix XenApp / Xen Desktop 7.15 LTSR CU6 and earlier versions of 7.15 LTSR

  • Citrix XenApp / Xen Desktop 7.6 LTSR CU8 and earlier versions of 7.6 LTSR

Please note that Citrix XenApp / XenDesktop 7.6 LTSR is not affected by CVE-2020-8270.

Vulnerability Attribution

Hannay Al-Mohanna of F-Secure Consulting and Michael Garrison of State Farm Information Security.

Risk Impact

SYSTEM privileges are the highest level of privilege. A user with that privilege can turn the machine into a brick very quickly.

Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)- The NVD has not analyzed this vulnerability and any submitted exploits and has not assigned any CVSS score as well. Virsec will respond once details become known.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.