| Developer(s) | Citrix |
|---|---|
| Stable release | |
| Operating system | Windows |
| Type | Desktop virtualization software |
| License | Proprietary |
| Website | www.citrix.com |
- This vulnerability affects the following supported versions of Citrix Workspace app for Windows: Citrix Workspace app 2002, 2006 and 2006.1 for Windows Citrix Workspace app 1912 LTSR for Windows (before CU1 Hotfix 1) Note that this vulnerability was originally reported against a subset of the versions above.
- Citrix Workspace app 2006 for Windows was released on June 3rd 2020. However, post release it was discovered that this version of the application did not detect the native workspace app when you login to Workspace for Web in some scenarios.
- Jun 07, 2020 Citrix Workspace 2006 is a program offered by the software company Citrix Systems, Inc. Frequently, computer users decide to erase this application. This is easier said than done because doing this manually requires some advanced knowledge regarding removing Windows applications by hand.
- Jun 18, 2020 Service Current Release 2012 2009 2006 2003 1912 1909 1906 1903. Workspace Environment Management 2103. Select CitrixWorkspace Environment Management WEM.
Citrix Workspace (formerly Citrix Workspace Suite) is a digital workspacesoftware platform developed by Citrix Systems that allows multiple users to remotely access and operate Microsoft Windowsdesktops running in a datacenter or a public or private cloud, via devices located elsewhere.[1][2] Users are able to access virtual desktops and applications through Citrix Workspace App.[3] Applications are delivered and managed via Citrix Virtual Apps.[2]
References[edit]
Citrix fixed this issue in Workspace app for Windows 2006.1 RFWIN-17890 Endpoints with high-end sound cards (Studio quality) might fail to load in optimized mode. See section #2.1 below. Clicking on Teams/Settings/Devices will show 'None'.
- ^'Citrix makes VDI faster, secure, more reliable and cheaper on storage with the latest XenApp and XenDesktop'. Cloud Computing Intelligence. August 20, 2014. Retrieved 15 July 2015.CS1 maint: discouraged parameter (link)
- ^ abRicknäs, Mikael (April 14, 2008). 'Citrix sets price and release date for XenDesktop'. Network World. Retrieved 25 June 2015.CS1 maint: discouraged parameter (link)
- ^Howsw, Brett (July 14, 2015). 'Citrix brings full support for Windows 10 to its desktop virtualization products'. AnandTech. Retrieved 14 July 2015.CS1 maint: discouraged parameter (link)
- Citrix Workspace App
Description of Problem
A vulnerability has been identified in the automatic update service of Citrix Workspace app for Windows that could result in:
A local user escalating their privilege level to that of an administrator on the computer running Citrix Workspace app for Windows.
A remote compromise of the computer running Citrix Workspace app when Windows file sharing (SMB) is enabled.
The issue has the following identifier:
CVE-2020-8207
This vulnerability affects the following supported versions of Citrix Workspace app for Windows:
- Citrix Workspace app 2002, 2006 and 2006.1 for Windows
- Citrix Workspace app 1912 LTSR for Windows (before CU1 Hotfix 1)
Note that this vulnerability was originally reported against a subset of the versions above. However, further investigation has discovered potential variant forms of this attack and the affected versions have been amended accordingly.
This vulnerability does not affect Citrix Workspace app on any other platforms or any supported versions of Citrix Receiver.
Mitigating Factors
This vulnerability only exists if Citrix Workspace app was installed using an account with local or domain administrator privileges. It does not exist when a standard Windows user installed Citrix Workspace app for Windows.
A remote compromise is only possible when the user has enabled Windows file sharing (SMB) and only when the updater service is running. If authentication is required for SMB then an attacker must be able to authenticate before they could exploit this issue.
Users with automatic updates enabled and applied should have already been updated to a fixed version.
What Customers Should Do
The issue has been addressed in the following versions of Citrix Workspace app for Windows:
- Citrix Workspace App 2008 or later
- Citrix Workspace App 1912 LTSR CU1 Hotfix 1 (19.12.1001) and later cumulative updates
Note that these versions have been updated since the original publication of this bulletin.
Citrix strongly recommends that customers check if the version they are running has been automatically updated and, if necessary, upgrade to a fixed version as soon as possible.
The latest version of Citrix Workspace app for Windows is available from the following Citrix website location:
Citrix Workspace 2006 For Windows Download
The latest LTSR version of Citrix Workspace app for Windows is available from the following Citrix website location:
Citrix Receiver
Acknowledgements
Citrix would like to thank Ceri Coburn at Pen Test Partners for working with us to protect Citrix customers during both the initial disclosure of this issue and subsequent variants.
Citrix Workspace 2006 Mac
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix Workspace Download
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html.
Citrix 2006 Download
Changelog
Citrix Workspace 2006 Download
| Date | Change |
| 2020-07-21 | Initial Publication |
| 2020-09-08 | Revision of fixed versions |