This vulnerability affects all supported versions of Citrix Workspace app for Windows but does not affect Citrix Workspace app on any other platforms. Citrix Workspace app downloaded from Windows Store is also not affected by this issue.
Mitigating Factors
This vulnerability only exists if Citrix Workspace app was installed using an account with local or domain administrator privileges. It does not exist when a standard Windows user installed Citrix Workspace app for Windows.Users with automatic updates enabled will automatically be updated to a fixed version.
What Customers Should Do
The issue has been addressed in the following versions of Citrix Workspace app for Windows:- Citrix Workspace App 2105 and later
- Citrix Workspace App 1912 LTSR CU4 and later cumulative updates
Citrix strongly recommends that customers upgrade to a fixed version as soon as possible or check if the version they are running has been automatically updated.The latest version of Citrix Workspace app for Windows is available from the following Citrix website location:
https://www.citrix.com/downloads/workspace-app/windows/
The latest LTSR version of Citrix Workspace app for Windows is available from the following Citrix website location:
https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/.
Acknowledgements
Citrix would like to thank Sai Cheng of Syclover Security Team for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/en-gb/support/open-a-support-case/.Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – https://www.citrix.com/about/trust-center/vulnerability-process.htmlDisclaimer
This document is provided on an 'as is' basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.Changelog
| Date | Change |
| 2021-05-11 | Initial Publication |
| 2021-05-11 | CVE ID Corrected |
| 2021-05-18 | Acknowledgements amended. Added clarification that versions installed by using an account with administrator privileges are vulnerable |
| 2021-05-19 | Added clarification that Citrix Workspace App in Windows Store |
Parent page: Internet and Networking
Contents
|
The Citrix ICA Client (Citrix Receiver) allows access to remote Windows sessions that run on a Citrix server.
These instructions are for current/recent Ubuntu/ICA versions. For historical reference, instructions for older Ubuntu/ICA versions are at CitrixICAClientHowToOlderVersions.
If you are considering deployment of the Receiver in your workplace (as opposed to installation on just your machine), have a look at the Citrix Receiver deployment how-to in the Ubuntu for the Enterprise wiki.
1. (64-bit only) Alternative install procedure that can be added to a deployment bash script
http://mark911.wordpress.com/2014/06/27/how-to-install-citrix-receiver-icaclient-in-ubuntu-14-04-lts-64-bit-tested-and-working-using-mozilla-firefox/
2. (64-bit only) Enable i386 Multiarch
Even the Citrix Receiver for 64-bit systems has a lot of dependencies on packages from the i386 architecture. If you are using 64-bit Ubuntu and have not already configured i386 multiarch, you must configure it by running:
N.B. The download link currently directs you to receiver 13.2 rather than 13.1 and the 64-bit deb no longer has i386 architecture dependencies.
3. Download the Citrix Receiver for Linux .deb package
Go to https://www.citrix.com/downloads/citrix-receiver/legacy-receiver-for-linux/receiver-for-linux-13-2.html
- Near the bottom of the page, select either 'For 64-bit Systems' or 'For 32-bit Systems' as appropriate, and goto the 'Receiver for Linux' package.
- Look for 'File Type: .deb' under the Download buttons.
- Click this .deb file, and have it open in Ubuntu Software Center for installation (so you can skip step 4), Or download the .deb file and install it as described in step 4..
- Optionally download the 'USB Support Package'. This package provides support for passing USB devices from your local Ubuntu machine into the remote Windows session (if your Citrix server is configured to allow that).
4. Install the downloaded package(s) and dependencies
In case your Ubuntu Software Center didn't install the Citrix receiver, so you had to download it, now install it as follows:
5. Add more SSL certificates
By default, Citrix Receiver only trusts a few root CA certificates, which causes connections to many Citrix servers to fail with an SSL error. The 'ca-certificates' package (already installed on most Ubuntu systems) provides additional CA certificates in /usr/share/ca-certificates/mozilla/ that can be conveniently added to Citrix Receiver to avoid these errors:
6. Configure Citrix Receiver
Run:
To map drives (to allow access to files on your local Ubuntu machine via a share drive in the remote Windows session), see the 'File Access' tab.
7. (64-bit only) Fix Firefox plugin installation
Citrix Workspace App 2107 For Windows - Citrix
Run:
Starting with Citrix Receiver 13.1, the 64-bit version of Citrix Receiver switched from a 32-bit plugin (using nspluginwrapper to allow it to run within a 64-bit browser) to a native 64-bit plugin. However, the install script still configures the plugin to run within nspluginwrapper, which doesn't work with a 64-bit plugin. The above will reconfigure the plugin to run without nspluginwrapper.
8. Configure Firefox
In Firefox, go to Tools -> Add-ons -> Plugins, and make sure the 'Citrix Receiver for Linux' plugin is set to 'Always Activate'.
Starting in Firefox 32, plugins are set to 'Ask to Activate' by default, but for some reason the activation prompt is never displayed for the Citrix Receiver plugin, so the plugin will not work unless it is set to 'Always Activate'.
9. Configure Chrome/Chromium
To use Citrix Receiver in Chrome and/or Chromium, run:
If you are running KDE 4.10 or later: In System Settings, make sure GTK is set to a theme other than Oxygen. The Oxygen theme seems to cause the Citrix Receiver to constantly crash when trying to launch fullscreen applications (such as Terminal Servers or VDI).
Some people have experienced problems with Citrix Receiver 13.0 showing only random fragments of windows. It is not clear if this is a bug in the graphics library that Citrix has adopted with this version and/or its interaction with certain Citrix server configurations. If you experience this, you are likely to have better success with version 12.1, see CitrixICAClientHowToOlderVersions. The behavior of Citrix Receiver 13.1 for the affected people has not yet been determined.
Sometimes the Citrix client will not go full-screen with Unity. The Unity launcher and status bar will still be visible, and the Citrix mouse will be in a slightly different position than the client mouse. This can be fixed enabling legacy fullscreen in compizconfig-settings-manager. It is in 'advanced search' then 'Plugin: workarounds', then second on the list.
- You can exit from the FULL SCREEN mode (in Unity) by pressing Ctrl+F2 followed by Ctrl+Super+Arrow_Down.
- You can prevent Citrix from starting FULL SCREEN by opening a terminal (Ctrl+Alt+T), gedit ~/.ICAClient/All_Regions.ini and setting DesiredHRES=1366 and DesiredVRES=768 for example.
You can solve keyboard layout problems looking for your keyboard layout in http://support.citrix.com/proddocs/topic/receivers-java-101/java-parameters-keyboard-layouts.html and updating KeyboardLayout value in ~/.ICAClient/wfclient.ini`
There is a bug in Citrix Receiver 13.1.0.285639, that the receiver can not be started from unity. The problem is a missing hash in a parameter, as a workaround it can be fixed by executing the follwing command. The problem and and solution are also described here: http://discussions.citrix.com/topic/358076-deb-package-uses-icaroot-instead-of-icaroot-spelling-error/#entry1844542
Downloads - Download Citrix Products - Citrix
CategorySystemCategoryNetworkingCategoryEnterprise