====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN145

_____________________________________________________________________

DATE                : 15/05/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows running Citrix Workspace app,
                                 Citrix  Receiver.

=====================================================================
https://support.citrix.com/article/CTX251986
_____________________________________________________________________

Remote Code Execution Vulnerability in Citrix Workspace app and Receiver
for Windows

Reference: CTX251986

Category : Critical

Created  : 13 May 2019

Modified : 13 May 2019

Applicable Products

  o Receiver for Windows
  o Citrix Workspace App


Description of Problem

A vulnerability has been identified in Citrix Workspace app and Receiver
for Windows that could result in local drive access preferences not
being enforced allowing an attacker read/write access to the clients
local drives which could enable code execution on the client device.

This vulnerability has been assigned the following CVE number:

o CVE-2019-11634: Remote Code Execution Vulnerability in Citrix
Workspace app for Windows prior to version 1904 and Receiver for Windows
to LTSR 4.9 CU6 version earlier than 4.9.6001.

This vulnerability affects all versions of Citrix Workspace app earlier
than 1904 and Receiver for Windows to LTSR 4.9 CU6 version earlier than
4.9.6001.

This vulnerability does not affect Citrix Workspace app and Receiver on
any other platforms.


What Customers Should Do

A new version of Citrix Workspace app and Receiver for Windows has been
released. Citrix strongly recommends that customers upgrade Citrix
Workspace app to version 1904 or later and Receiver for Windows to LTSR
4.9 CU6 version 4.9.6001.

The new Citrix Workspace app version is available from the following
Citrix website location:

https://www.citrix.com/downloads/workspace-app/

The new LTSR version is available from the following Citrix website
location:

https://www.citrix.com/downloads/citrix-receiver/windows-ltsr/
receiver-for-windows-ltsr-latest.html

Single Sign-on (SSO) could stop working, after applying the security
update, for browsers other than Internet Explorer unless explicitly
configured. Use the following documentation to ensure proper
configuration post fix installation:

https://support.citrix.com/article/CTX133982


Acknowledgements

Citrix thanks Ollie Whitehouse, Richard Warren and Martin Hill of NCC
Group for working with us to protect Citrix customers.


Changelog

+--------------------------------+--------------------------------------------+
|Date                            |Change
      |
+--------------------------------+--------------------------------------------+
|13th May 2019                   |Initial publishing
      |
+--------------------------------+--------------------------------------------+


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================