“This is not a bug in BinaryFormatter itself, or a bug in MSMQ,” said watchTowr, “but a side effect of Citrix’s reliance on a scripted BinaryFormatter to maintain a security boundary. It’s a ‘disruption’ that was discovered during the design phase, when Citrix was deciding which library to use.”
‘Moderate’ risk, says Citrix
In an email to CSO Online, Citrix said it takes reports of security vulnerabilities. Once the company was notified of this exploit, it worked with watchTowr to verify, reproduce, and mitigate the problem to protect customers.
Citrix rates it as a “moderate” security problem for several reasons:
Source link