Note!!

Based on discussions with Citrix through VINCE from cert.org, it was concluded that this is not classified as a vulnerability because it requires administrative privileges. Therefore, I can share this information without security concerns. However, for security reasons, I do not recommend using Xendesktop (VDI) in special environments such as logically isolated or closed networks. If VDI must be used in such environments, please ensure that administrator privileges are removed and security-specific software is installed.

While the need for administrative privileges may reduce the risk, it does not eliminate the potential impact. Below is a detailed technical explanation of how the Citrix policy can be bypassed.

Description

The Citrix VDI Agent (PicaSvc2.exe) seems to follow a structure where it receives policies from the Citrix management server, records them in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\1\User), and applies these policies by reading from the registry. An attacker can bypass security policies for drives, network access, clipboard operations, etc., enforced by the Citrix Policy Server through manipulation of the registry (refer to the proof of concept [POC] below).

According to Citrix’s Common Criteria Certification documentation, protections are designed to prevent an attacker from altering this configuration data (Configdata). This type of bypass could be considered an implementation flaw.

If VDI is used in closed or isolated network environments, bypassing Citrix Policy and forcibly connecting the VDI to the internet could expose sensitive internal information to external parties. In South Korea, such actions are a clear violation of the law and would require a reassessment of network isolation measures.

Proof of Concept (POC)

An attacker would first need to log into the company’s Citrix VDI (running Windows 10) after gaining access to the company’s account. The VDI environment is typically restricted from network access, printer use, external drives, clipboard access, etc.

  1. The attacker logs into the VDI and runs a batch file (download link) that continuously modifies the registry, then disconnects from the VDI session.

    After running the batch file to modify the registry, the attacker disconnects from the VDI. Upon reconnection, the registry values have been tampered with, allowing the attacker to bypass Citrix policies.

    Example registry modification:

    Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\1\User]
"AutoConnectDrives"=dword:00000001
"AllowCdromDrives"=dword:00000001
"AllowFixedDrives"=dword:00000001
"AllowFloppyDrives"=dword:00000001
"AllowNetworkDrives"=dword:00000001
"AllowRemoveableDrives"=dword:00000001
"UseAsyncWrites"=dword:00000001
"ReadOnlyMappedDrive"=dword:00000000

  2. Upon logging back into the VDI, PicaSvc2.exe retrieves the policy settings from the Citrix server and stores them in the registry.

  3. While PicaSvc2.exe is writing and reading policies, the registry values have already been tampered with by the previously executed batch file.

  4. PicaSvc2.exe then applies the manipulated policies in the VDI environment.

Additionally:

  • By modifying the registry of the connecting PC, hardware redirection can be enabled, which allows unauthorized network access.
  • Citrix’s default policy allows USB class FFh, which means an iPhone can be used for tethering or a USB-based wireless card could be used to bypass network isolation.
  • To enable iPhone tethering, the attacker would need to install drivers extracted from the iTunes installer: Apple network driver and Apple USB driver.
  • After redirecting the iPhone in the Citrix session, internet access can be obtained even in a network-isolated environment.

Impact

For companies using VDI to maintain logical network separation, this vulnerability could lead to the leakage of internal information and unauthorized access to internal servers.

Given the potential impact, it is crucial to identify and mitigate such attacks in real-time. Below are steps to discover and monitor potential bypass activities.

Discovery

To discover this issue:

  1. Use Procmon to monitor the operations of PicaSvc2.exe.
  2. Examine the registry keys where the Citrix agent stores its policy settings.
  3. Manipulate and observe the effects of changes in these registry values.

Design Analysis

The Citrix Common Criteria Certification document includes measures to prevent unauthorized modification of configuration data. According to Citrix’s Common Criteria Certification Information, the integrity and confidentiality of the data required for setup and assignment of a virtual desktop or application are maintained during transmission between servers. This design also includes prevention measures against attackers, application users, or desktop users from modifying the configuration data.

Despite Citrix’s implementation of security features as outlined above, legal considerations must also be addressed, particularly in regions like South Korea where strict network isolation laws apply.

Citrix’s security objectives, including O.Secure_Setup_Data, OE.TLS, and OE.Encryption, ensure the confidentiality and integrity of the configuration data during processing and transmission between servers.

For more details on the security objectives and the roles of management functions, see:

  • FMT_SMF.1/Authorise: Management of the endpoint data access control policy
  • FMT_MSA.1/Desktop
  • FMT_MSA.3/Desktop
  • FMT_MSA.1/Application
  • FMT_MSA.3/Application
  • FPT_ITT.1

In South Korea, the Financial Supervisory Service (FSS) has introduced measures under the Electronic Financial Transactions Act that provide companies with the option of implementing logical network separation. Financial institutions are required to block unauthorized access and prevent incidents by adopting network isolation measures to protect sensitive data from external attacks.

Since the attack requires administrative privileges, companies should review their policy regarding the removal of administrative privileges for PC users in logically separated network environments. Furthermore, there is a need for legal improvements to include regulations that prevent the misuse of these systems.

Limitation

Even with administrative and installation privileges restricted, it is still difficult to fully prevent data leaks through methods such as capturing screen images. More detailed analysis and solutions regarding logical network isolation models can be found in this report.

These limitations suggest that even with administrator rights removed, organizations remain vulnerable. This highlights the importance of addressing these issues at both a technical and regulatory level, as seen in recent banking sector responses to similar incidents.

Following a 2011 hacking incident at Nonghyup, several major banks in South Korea began implementing internal-external network separation to prevent the leakage, theft, or tampering of personal information. Network isolation remains a key recommendation to ensure the safety of personal data. See relevant guidelines here and information on ISMS-P certification here.

Additional information on Citrix Common Criteria certification can be found here and here.