Citrix Workspace 2019
Citrix Workspace app can be used on domain and non-domain joined PCs, tablets, and thin clients. Provides high performance use of virtualized Skype for Business, line of business and HDX 3D Pro engineering apps, multimedia, local app access. The Citrix Workspace app allows for secure, unified access to all of your SaaS apps, web apps, virtual apps, files, and desktops. If your company uses Citrix, simply login with your company credentials to access all of the resources you need to be productive from anywhere.
DESCRIPTION OF ITS CITRIX WORKSPACE AND ON THE SUITABILITY OF THE DESIGN AND OPERATING EFFECTIVENESS OF ITS CONTROLS RELEVANT TO SECURITY, AVAILABILITY AND CONFIDENTIALITY THROUGHOUT THE PERIOD AUGUST 1, 2019 TO OCTOBER 31, 2019 2 / 78.
We have a relatively new (just a bit over a month) CVAD 1909 deployment using server 2019 as VDAs. We have application only VDAs and published desktop only VDAs separately. We are also leveraging Microsoft APP-V to deliver the application on said VDAs. From the time we implemented this, we have had issues where the published desktop VDAs will just sit on a black screen for about 30 minutes before it displays the desktop. This happens intermittently and no way to tell which VDA will exhibit this behavior. The only solution we have is to put the VDA in maintenance mode and bleed out the users and reboot. This seems to happen once to each VDA within a 24 hour period. We also resorted to a daily reboot just because of this.
If we try to RDP to the affected VDA, we get the same black screen issue. Even going to the VDA console (we use Citrix Hypervisor 8.0) and logging on as a local admin, same issue. I'm able to pull up task manager from the console and see users still connected to it and appear to still be functioning normally until the other day that I noticed when I tried to just keep RDP sessions running to all of the VDAs and waited until the issue comes up. Then I noticed that my connected RDP session that I could not even invoke windows explorer. So it would seem any current user session is unable to interact with the published desktop. I checked CPU and Memory usage during this time and it seems normal. This also happens on published applications from the application only VDAs but users only see it as the application not starting up since it's unable to proceed normally with the login process. Same thing when we check on the application VDA console, just getting a black screen for 30 minutes.
We found this Microsoft forum article that pretty much describes what we're seeing only this is just referring to windows host terminal servers (which Citrix VDAs are).
We have tried other suggestions (mostly registry hacks) of other 'black screen' issues that we found on other forums although those mainly describe a brief black screen that pops up when launching a session.
Any ideas what this could be or has anyone else encountered this issue in their deployment? Obviously, our user base is not happy with all of the work interruption so any help from this community will be greatly appreciated.
• CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code execution
The vulnerability affects the following supported product versions on all supported platforms:
• Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24
• NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18
• NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13
• NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15
• NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
• Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b
What Customers Should Do
Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts to be notified when the new fixes are available.
The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until the system has been updated to a fixed build: CTX267679 - Mitigation steps for CVE-2019-19781
The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until a permanent fix is available: CTX267679 - Mitigation steps for CVE-2019-19781
Upon application of the mitigation steps, customers may then verify correctness using the tool published here: CTX269180 - CVE-2019-19781 – Verification Tool
In Citrix ADC and Citrix Gateway Release '12.1 build 50.28', an issue exists that affects responder and rewrite policies causing them not to process the packets that matched policy rules. This issue was resolved in '12.1 build 50.28/31' after which the mitigation steps, if applied, will be effective. However, Citrix recommends that customers using these builds now update to '12.1 build 55.18', or later, where CVE-2019-19781 issue is already addressed.
Customers on '12.1 build 50.28' who wish to defer updating to '12.1 build 55.18' or later should choose one from the following two options for the mitigation steps to function as intended:
1. Update to the refreshed '12.1 build 50.28/50.31' or later and apply the mitigation steps, OR
2. Apply the mitigation steps towards protecting the management interface as published in CTX267679. This will mitigate attacks, not just on the management interface but on ALL interfaces including Gateway and AAA virtual IPs
Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models. Citrix strongly recommends that customers install these updates at their earliest schedule. The fixed builds can be downloaded from https://www.citrix.com/downloads/citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/citrix-sd-wan/
Customers who have upgraded to fixed builds do not need to retain the mitigation described in CTX267679.
Fix Timelines
Citrix has released fixes in the form of refresh builds across all supported versions of Citrix ADC, Citrix Gateway, and applicable appliance models of Citrix SD-WAN WANOP. Please refer to the table below for the release dates.
| Citrix ADC and Citrix Gateway | ||
|---|---|---|
| Version | Refresh Build | Release Date |
| 10.5 | 10.5.70.12 | 24th January 2020 (Released) |
| 11.1 | 11.1.63.15 | 19th January 2020 (Released) |
| 12.0 | 12.0.63.13 | 19th January 2020 (Released) |
| 12.1 | 12.1.55.18 | 23rd January 2020 (Released) |
| 13.0 | 13.0.47.24 | 23rd January 2020 (Released) |
| Citrix SD-WAN WANOP | ||
| Release | Citrix ADC Release | Release Date |
| 10.2.6b | 11.1.51.615 | 22nd January 2020 (Released) |
| 11.0.3b | 11.1.51.615 | 22nd January 2020 (Released) |
Acknowledgements
Citrix thanks Mikhail Klyuchnikov of Positive Technologies, and Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Citrix Workspace 2019 Mac
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
How To Open Citrix Workspace
Changelog
Citrix Workspace Free App
| Date | Change |
| 17th December 2019 | Initial Publication |
| 11th January 2020 | Fix Timelines Updated |
| 16th January 2020 | SD-WAN WANOP added/Citrix ADC 12.1 responder bug detail added |
| 16th January 2020 | CVE verification tool |
| 17th January 2020 | Update to Citrix ADC and Citrix Gateway 12.1 responder policy issue |
| 19th January 2020 | Announced release of 12.0 and 11.1 builds. Announced earlier release dates for other versions. |
| 22nd January 2020 | Announced fixes for SD-WAN WANOP appliances |
| 23rd January 2020 | Announced (accelerated) release of 13.0 and 12.1 builds. |
| 24th January 2020 | Announced release of 10.5 build |
| 23rd October 2020 | Added explicit statement clarifying that MPX is affected |