CVE-2023-24490: 
Citrix Virtual Delivery Agent (VDA) vulnerability analysis and mitigation

CVE-2023-24490 is a security vulnerability affecting Citrix Virtual Apps and Desktops (CVAD) and Virtual Delivery Agent (VDA) products. The vulnerability was discovered and initially recorded on January 24, 2023, affecting multiple versions of Citrix Virtual Apps and Desktops including 1912 LTSR and 2203 LTSR, as well as Linux Virtual Delivery Agent versions (CERT-FR, NVD).

The vulnerability is classified as an improper access control issue (CWE-284) that allows users with only VDA application launch permissions to access unauthorized desktops. The severity assessment according to CVSS 3.1 varies between sources, with NVD rating it as MEDIUM (Base Score: 4.3) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while Citrix assessed it as MEDIUM (Base Score: 6.3) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability enables users to bypass intended access restrictions, potentially allowing them to launch desktop sessions they are not authorized to access. This represents a significant security policy bypass that could compromise the system's access control mechanisms (CERT-FR).

Citrix has released security updates to address this vulnerability. For Citrix Virtual Apps and Desktops 1912 LTSR, users should apply CU7, for version 2203 LTSR, CU3 is required, and for Linux Virtual Delivery Agent 1912 LTSR, CU7 hotfix 1(19.12.7001) should be installed. Users running versions prior to 2305 should upgrade to the latest version (CERT-FR).