• Insights

Windows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490

Jeff Silverman

< 1 min read

All Insights
Issue

A vulnerability has been identified that, if exploited, could result in the following security vulnerability:

CVD-ID Description Pre-Requisites CWE CVSS
CVE-2023 Users with only access to launch VDA applications can launch an unauthorized desktop Authorized user with the ability to launch a virtual application CWE-284 6.3

 

Additional Information

The vulnerability affects the following supported versions of Windows Virtual Delivery Agent:

Current Release (CR):

  • Citrix Virtual Apps and Desktops versions before 2305

Long Term Service Release (LTSR):

  • Citrix Virtual Apps and Desktops 2203 LTSR before CU3
  • Citrix Virtual Apps and Desktops 1912 LTSR before CU7

The vulnerability affects the following supported versions of Linux Virtual Delivery Agent: 

Current Release (CR):

  • Linux Virtual Delivery Agent version before 2305

Long Term Service Release (LTSR):

  • Linux Virtual Delivery Agent 2203 LTSR before CU3
  • Linux Virtual Delivery Agent 1912 LTSR before CU7 hotfix 1(19.12.7001)
Recommended Action

Recent versions of Citrix Virtual Apps and Desktops contain fixes for this vulnerability.

Citrix Virtual Apps and Desktops:

  • Citrix Virtual Apps and Desktops 2305 and later versions
  • Citrix Virtual Apps and Desktops 2203 LTSR CU3 and later cumulative updates
  • Citrix Virtual Apps and Desktops 1912 LTSR CU7 and later cumulative updates

Linux Virtual Delivery Agent:

  • Linux Virtual Delivery Agent 2305 and later versions
  • Linux Virtual Delivery Agent 2203 LTSR CU3 and later cumulative updates
  • Linux Virtual Delivery Agent 1912 LTSR CU7 hotfix 1(19.12.7001) and later cumulative updates

Citrix strongly recommends that customers upgrade to versions of Virtual Apps and Desktops and Linux Virtual Delivery Agent that contain the fixes as soon as possible.

More Information

Read the complete bulletin here.
For assistance from the Kraft Kennedy team, please contact us.