“This isn’t really a bug in the BinaryFormatter itself, nor a bug in MSMQ,” said watchTowr, “but rather the unfortunate consequence of Citrix relying on the documented-to-be-insecure BinaryFormatter to maintain a security boundary. It’s a ‘bug’ that manifested during the design phase, when Citrix decided which serialization library to use.”
A ‘medium’ risk, says Citrix
In an email to CSO Online, Citrix said it takes reports of security vulnerabilities seriously. Once the company was made aware of this exploit, it worked with watchTowr to validate, reproduce, and mitigate the problem for the protection of customers.
Citrix rates it a “medium” security issue for several reasons:
