Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN106

_____________________________________________________________________

DATE                : 19/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix Secure Access Client for
                              Mac versions prior to 25.01.2.

=====================================================================
https://support.citrix.com/s/article/CTX692679-citrix-secure-access-client-for-mac-security-bulletin-for-cve20251222-and-cve20251223?language=en_US
_____________________________________________________________________

    Security Bulletin

Title
    Citrix Secure Access Client for Mac Security Bulletin for
CVE-2025-1222 and CVE-2025-1223

CTX Number
    CTX692679

Article Type
    Security Bulletin

Created Date
    18/Feb/2025

Last Modified Date
    18/Feb/2025

Severity
    Medium


Solution
    Description of Problem

    Vulnerabilities have been discovered in Citrix Secure Access
     Client for Mac. Refer to below for further details: 

    Affected Versions: 

    The following supported versions of Citrix Secure Access Client
     for Mac are affected:
    Citrix Secure Access Client for Mac versions BEFORE 25.01.2


    Summary: 

    Citrix Secure Access Client for Mac contains the vulnerabilities
mentioned below

    CVE-ID 
    	

    Description 
    	

    Pre-conditions
    	

    CWE
    	

    CVSS

    CVE-2025-1222 
    	

    An attacker can gain application privileges in order to perform
limited modification and/or read arbitrary data
    	

    Local access to the target system
    	

     

    CWE-693: Protection Mechanism Failure
    	

    CVSS v4.0 Base Score: 5.9

    CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

    CVE-2025-1223
    	

    An attacker can gain application privileges in order to perform
limited modification and/or read arbitrary data
    	

    Local access to the target system
    	

    CWE-427: Uncontrolled Search Path Element
    	

    CVSS v4.0 Base Score: 5.9

    CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N 


    What Customers Should Do

    Cloud Software Group strongly urges customers of Citrix Secure
Access Client for Mac  to install the relevant updated versions as
soon as possible: 
    Citrix Secure Access Client for Mac 25.01.2 and later releases


    Workarounds/ Mitigating Factors

    None


    Acknowledgments

    Cloud Software Group thanks Mathieu Farrell of Quarkslab for
working with us to protect Cloud Software Group customers.


    What Citrix is Doing

    Citrix is notifying customers and channel partners about this
potential security issue through the publication of this security
bulletin on the Citrix Knowledge Center at
https://support.citrix.com/securitybulletins.


    Obtaining Support on This Issue
    If you require technical assistance with this issue, please
contact Citrix Technical Support. Contact details for Citrix
Technical Support are available at
https://www.citrix.com/support/open-a-support-case.

    Subscribe to Receive Alerts
    Citrix strongly recommends that all customers subscribe to
receive alerts when a Citrix security bulletin is created or
modified at https://support.citrix.com/user/alerts.


    Reporting Security Vulnerabilities to Citrix
    Citrix welcomes input regarding the security of its products
and considers any and all potential vulnerabilities seriously. For
details on our vulnerability response process and guidance on how
to report security-related issues to Citrix, please see the
following webpage:
https://www.citrix.com/about/trust-center/vulnerability-process.html.


    Disclaimer
    The information on this page is being provided to you on an
"AS IS" and "AS-AVAILABLE" basis. The issues described on this
page may or may not impact your system(s). Cloud Software Group,
Inc. and its subsidiaries (collectively, "Cloud SG") make no
representations, warranties, or guarantees as to the information
contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, INCLUDING, BUT NOT LIMITED TO,
IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS
FOR A PARTICULAR PURPOSE ARE HEREBY DISCLAIMED. BY ACCESSING THIS
PAGE, YOU ACKNOWLEDGE THAT CLOUD SG SHALL IN NO EVENT BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. Cloud SG reserves the right to
change or update the information on this page at any time. We
accordingly recommend that you always view the latest version
of this page. The information contained herein is being provided
to you under the terms of your applicable customer agreement with
Cloud SG, and may be used only for the purposes contemplated by
such agreement. If you do not have such an agreement with
Cloud SG, this information is provided under the cloud.com Terms
of Use, and may be used only for the purposes contemplated by
such Terms of Use.
     
    Changelog
    2025-02-18	Initial Publication


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================