CVE-2022-21825
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on Linux systems running Citrix Workspace App with App Protection enabled. An attacker with local access can exploit improper access controls to gain root privileges. Affects Citrix Workspace App for Linux versions 2012 through 2111 when App Protection is installed.
💻 Affected Systems
- Citrix Workspace App for Linux
📦 What is this software?
Workspace by Citrix
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root access, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local user or malware with initial access escalates to root to install backdoors, steal credentials, or disable security controls.
If Mitigated
With proper patching and least privilege principles, impact limited to isolated user session without system-wide compromise.
🎯 Exploit Status
Exploitation requires local access to the system. Multiple proof-of-concept exploits have been published since disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2112 and later
Vendor Advisory: https://support.citrix.com/article/CTX338435
Restart Required: Yes
Instructions:
1. Download Citrix Workspace App for Linux version 2112 or later from Citrix website. 2. Uninstall current version. 3. Install updated version. 4. Restart the system.
🔧 Temporary Workarounds
Disable App Protection
linuxRemove or disable the App Protection component if not required for business operations.
sudo apt-get remove citrix-appprotection
sudo yum remove citrix-appprotection
Restrict Local Access
allImplement strict access controls to limit who can log into affected systems locally.
🧯 If You Can't Patch
- Implement strict least privilege principles and monitor for privilege escalation attempts
- Isolate affected systems in segmented network zones and restrict lateral movement capabilities
🔍 How to Verify
Check if Vulnerable:
Check if App Protection is installed: dpkg -l | grep citrix-appprotection OR rpm -qa | grep citrix-appprotection. Then check Workspace version: /opt/Citrix/ICAClient/wfica --versionCheck Version:
/opt/Citrix/ICAClient/wfica --versionVerify Fix Applied:
Verify version is 2112 or later: /opt/Citrix/ICAClient/wfica --version | grep -E '21[1-9][2-9]|22[0-9]+'📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events in system logs
- Execution of App Protection components with elevated privileges
- Failed authentication attempts followed by successful privilege changes
Network Indicators:
- Unusual outbound connections from Citrix Workspace processes
- Lateral movement attempts from previously isolated systems
SIEM Query:
source="linux_system_logs" AND (process="citrix-appprotection" OR process="wfica") AND (event="setuid" OR event="setgid" OR event="sudo")