The pandemic has seen organizations around the world allow their employees to work from home and many are using VPN services to connect to their corporate networks. However, the growing reliance on VPNs has led to increased interest from cybercriminals who wish to exploit vulnerabilities found in popular VPN software.
While Cympton security researcher Chen Erlich recently discovered a privilege escalation vulnerability in HotSpot Shield’s Windows client, his latest blog post shows that consumer VPN vendors aren’t a lone weak point as enterprise VPNs also contain vulnerabilities that can be exploited by cybercriminals. In fact, Erlich recently discovered multiple privilege escalation and elevation of privilege vulnerabilities in Citrix’s widely used business VPN solution, Citrix Gateway Plug-In for Windows.
The Citrix Gateway Client installs a “Citrix Gateway Service” on a user’s computer that runs as SYSTEM and this service executes automatically on-boot. When the service runs, it executes a periodic PowerShell script, executed as SYSTEM, every five minutes. However, as powershell.exe is being invoked by file name only, Windows searches through numerous directories to find it.
To exploit this vulnerability, an attacker could create a malicious file, name it powershell.exe and copy it to every directory they have access to. This would allow them to achieve elevation of privileges on system’s running the Citrix Gateway Plug-In for Windows.
Privilege escalation vulnerabilities
When PowerShell runs uninterrupted, it verifies saved VPN configurations and writes to a file called intune.log in the following location: C:ProgramDataCitrixAGEEintune.log. This target directory has permissive permissions set to Full Control even for unprivileged users.
When intune.log is about to be written, if Windows finds the intune.log.backup in the current directory, it overwrites it and writes a new intune.log file. However, if a backup exists as a directory, intune.log will be copies to this directory. To exploit this vulnerability, an attacker with a standard account can create a symlink between the C:ProgramDataCitrixAGEEintune.log.backupintune.log file and any destination file that SYSTEM can write to. Then when the scheduled privileged PowerShell scrip runs it will move the intune.log file as the backup is a directory and not a file. Erlich also discovered an AppData privilege escalation that can lead to arbitrary file writing and creation.
According to a security update from Citrix, Citrix Gateway Plug-in 13.0 for Windows before 64.35, Citrix Gateway Plug-in 12.1 for Windows before 59.16 and Citrix Gateway Plug-in 12.1 for Windows before 55.190 are all affected. Thankfully though, the company has already issued fixes for the vulnerabilities discovered by Erlich which can be found here.
As businesses now rely on VPN services to support their remote workers, keeping them up to date is an essential step to avoid falling victim to any potential attacks that could exploit known vulnerabilities.
- Also check out our complete list of the best VPN services