Research outfit Pen Test Partners has uncovered a vulnerability in the Citrix Workspace app potentially allowing a privilege escalation to lead to full remote compromise of the host machine.

Citrix Workspace app is a software that provides access to your applications and desktops using Citrix Virtual Apps and Desktops from a remote client device. Citrix Workspace App is available for Windows, Mac, Linux, iOS, Chrome etc. Citrix Workspace app can be used on domain and non-domain joined PCs, tablets, and thin clients. Provides high performance use of virtualized Skype for Business, line of business and HDX 3D Pro engineering apps, multimedia, local app access.

1. Remember this Citrix utility i wrote 8 years ago? Me neither, or at least I wouldnt, if you would stop emailing me about it. In light of COVID-19, constant pestering and peoples desire to avoid work, I've re-written it and i'm putting the whole project up here so you can have it.
2. After installing Citrix Workspace, you will need to go to the Preferences of that application and Add an account. When adding the account, input the address, https://citrix.

The flaw, CVE-2020-8207 (not yet reserved at the time of publication), sees Workspace app's automatic update feature abused to gain access to a vulnerable Workspace app installation, with the attack vector being a named pipe.

Citrix Workspace Download

The hole has been patched and users of Citrix Workspace app should install the latest version (2006.1 or 1912 LTSR CU1) sooner rather than later.

While Citrix asserted that the vuln only affects Workspace app installations installed by either a local or domain admin (and not a bog-standard user account) any flaw in a widely used remote-working tool, in this day and age, is going to catch the world's eye rather quickly.

Citrix Workspace App 2020

Ken Munro of Pen Test Partners told El Reg: 'With the move to remote working, privilege escalation issues in remote desktop systems allow newly remote workers and hackers who have compromised accounts to break out of the secure environment.'

PTP's Ceri Coburn figured out how to leverage Workspace app's automatic update checker through a combination of named pipes and spoofed client process IDs, thereby fooling the Workspace app update service into running arbitrary code as SYSTEM.

Coburn wrote in a detailed blog post: 'Whilst a low privilege account is required to perform the attack, environments that do not implement SMB signing are particularly vulnerable since an attack can be achieved without knowing valid credentials through NTLM credential relaying.'

App Store Citrix Workspace App

Turning that into full compromise of the Workspace app's client machine required some very lateral thinking about Microsoft's implementation of named pipes. Coburn wrote: 'Another unique feature of pipes allows the server to impersonate the client user,' adding that 'quite often the server side of a named pipe is implemented within high privilege services.'

PTP's Munro concluded: 'The remote execution element of the vulnerability could have been avoided completely if the correct permissions were configured on the named pipe. The software update component is designed to run locally, so no remote connectivity is required for it to function.' ®

Citrix Workspace App Windows

I've run into an issue I'm trying to get sorted out. I just got a new Mac Mini M1 (16 GB/512 GB) and when I get into Citrix Workspace to access my company's system, I can do everything just fine with the one exception that any time I use Command + any other key (e.g Command-c to copy, command-a to select all, etc.), it causes Citrix to unexpectedly quit and gives me an error report.
I've tried restarting everything to no avail.
I tried to recreate the problem on my late 2013 rMBP that I'd been using and no issues there. And no issues with command+__ in any usage case outside of the Citrix Workspace app.
They are both running Big Sur 11.1 and the newest version of the Citrix Workspace app, so the only thing I can think of is that it is somehow related to the M1 chip, but no idea whether that would cause the issue or not.
Anyone else run into this issue?