Vulnerabilities: LTSR detection for Citrix Workspace misses cumulative update versions

[getvictor]

Fleet versions

• Discovered: 4.83 RC
• Reproduced: Latest main

---

Actual behavior

The fix for #31303 (PR #41512) correctly detects LTSR base releases of Citrix Workspace (e.g., version 22.3.1.41 which mutates to 2203.1.41), but fails to detect cumulative update (CU) versions as LTSR.

For example, Citrix Workspace 2203 LTSR CU4 reports version 22.3.4000.4080, which mutates to 2203.4000.4080. The isCitrixWorkspaceLTSR function checks for the prefix "2203.1.", which does not match "2203.4000.4080".

As a result:

• The generated CPE is cpe:2.3:a:citrix:workspace:2203.4000.4080:*:*:*:*:windows:*:* (missing ltsr in sw_edition)
• The resolved-in version is incorrectly reported as 2403.1 (the CR resolved-in version) instead of 2402 (the correct LTSR resolved-in version)

This affects all cumulative updates for LTSR 2203.1 (CU1 through CU6), which have version numbers like 22.3.2000.x, 22.3.3000.x, 22.3.4000.x, etc. These are far more common in production than the base release.

To fix

The citrixLTSRVersions list and isCitrixWorkspaceLTSR matching logic in server/vulnerabilities/nvd/indexed_cpe_item.go need to account for CU versions. The LTSR version lines should match broader prefixes. For example, any version starting with 2203. is part of the 2203.1 LTSR line, not just versions starting with 2203.1..

One approach: change the LTSR version entries to match the major version prefix (e.g., "2203" instead of "2203.1"), or add separate entries for CU version ranges.

Steps to reproduce

These steps:

• Have been confirmed to consistently lead to reproduction in multiple Fleet instances.

1. Enroll a Windows host with Citrix Workspace 2203 LTSR CU4 (version 22.3.4000.4080) installed. The installer can be downloaded without authentication from https://downloadplugins.citrix.com/ReceiverUpdates/Prod/Receiver/Win/CitrixWorkspaceApp22.3.4000.4080.exe.
2. Wait for software inventory to populate and vulnerability scan to run (or trigger via POST /api/latest/fleet/trigger?name=vulnerabilities).
3. Check CVE-2024-6286 for the host's Citrix Workspace software.
4. Observe that resolved_in_version is 2403.1 instead of the correct 2402.
5. Observe that the generated CPE has * for sw_edition instead of ltsr.

More info

Related: #31303, PR #41512

References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-6286
• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX678036

QA

1. Spin up a Windows VM (e.g., Azure Standard_D2s_v3 with Win2022Datacenter).
2. Install Citrix Workspace 2203 LTSR CU4 silently:
   • Download from https://downloadplugins.citrix.com/ReceiverUpdates/Prod/Receiver/Win/CitrixWorkspaceApp22.3.4000.4080.exe
   • Run CitrixWorkspaceApp22.3.4000.4080.exe /silent /noreboot
3. Enroll the host in Fleet using fleetd.
4. Trigger vulnerability scan: POST /api/latest/fleet/trigger?name=vulnerabilities
5. Verify that CVE-2024-6286 shows resolved_in_version: "2402" (not "2403.1").
6. Verify that the generated CPE contains ltsr in the sw_edition field: cpe:2.3:a:citrix:workspace:2203.4000.4080:*:*:*:ltsr:windows:*:*

[noahtalerman]

Hey @getvictor @jacobshandling I move this to the #g-security-compliance board because I saw the assignment and assumed that Jacob is going to work on it.

[getvictor]

@noahtalerman it should go to Ready to Estimate and not directly to our board.