Alchemy Blog

Citrix Virtual Apps and Desktops Security Alert – CVE-2021-22928

Earlier this week a new CVE was released for all supported releases of XenApp/XenDesktop and CVAD:
This is a critical vulnerability that needs to be addressed if you are running the affected components and the first time we’ve seen a patch in the new Citrix ecology. It is essential that action be taken to avoid an unsanctioned privilege escalation and potential infection.
The underlying issue from what we can gather is the way the Citrix Profile Management components are running/installed: the installer does not put enough guardrails around the service/install location and therefore can allow malicious code to run. Our recommendation right now is to upgrade to the latest VDA (7.15 CU7, 1912 CU3, or 2106) and add the patch. All subsequent releases after the patch should include the code, so this is a one off. If you’ve been waiting to install the latest CU or current release VDA, now is the time!
Are you running Appsense/Liquidware/3rd party profile management software?
Some of our customers have had success in removing the Citrix Profile Management components. To do so would require running the VDA uninstall, rebooting and reinstalling without the CPM components using the “/exclude “Citrix Profile Management” “Citrix Profile Management WMI Plugin” switch during install. When this is completed, you will lose timing-based login data as well as any profile management related data in Director, so keep that top of mind. ControlUp and other metric collectors can still determine login times without the CPM components.
As always, your Alchemists are here to assist you however we can. Feel free to reach out to us with any other questions/comments/concerns and we will do our best to answer you in a timely manner. Thanks for being a great Alchemy Customer!

Alchemist: Matt Roth

Alchemy Managed Services Architect