Patches Released to Fix Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server

Two critical flaws have been found in Citrix Endpoint Management (CEM) / XenMobile Server. The flaws could be exploited by an unauthenticated attacker to access domain account credentials, take full control of a vulnerable XenMobile Server, and access VPN, email, and web applications and obtain sensitive corporate and patient data.

CEM/ XenMobile Server is used by many businesses to manage employees’ mobile devices, apply updates, manage security settings, and the toolkit is used to support many in-house applications. The nature of the flaws make it likely that hackers will move to develop exploits quickly, so immediate patching is essential.

The two critical flaws are tracked as CVE-2020-8208 and CVE-2020-8209. Information has only been released on one of the critical flaws – CVE-2020-8209 – which is a path traversal vulnerability due to insufficient input validation. If exploited, an unauthenticated attacker could read arbitrary files on the server running an application. Those files include configuration files and encryption keys could be obtained, which would allow sensitive data to be decrypted. The flaws could be exploited by convincing a user to visit a specially crafted web page.

Andrey Medov of Positive Technologies was credited with discovering the flaw. “Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access,” said Medev. With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications. Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases).”

The three other vulnerabilities, tracked as CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212, are rated medium and low severity. Information on these flaws has not yet been released by Citrix.

The critical vulnerabilities affect:

  • XenMobile Server 10.12 prior to RP2
  • XenMobile Server 10.11 prior to RP4
  • XenMobile Server 10.10 prior to RP6
  • XenMobile Server prior to 10.9 RP5

The medium and low severity vulnerabilities affect:

  • XenMobile Server 10.12 prior to RP3
  • XenMobile Server 10.11 prior to RP6
  • XenMobile Server 10.10 prior to RP6
  • XenMobile Server prior to 10.9 RP5

Citrix believes it will not take long for hackers to develop exploits and start exploiting the flaws, so immediate patching is strongly recommended.

Citrix has released patches for XenMobile Server versions 10.9, 10.10, 10.11, and 10.12. Customers using version 10.9x of XenMobile Server must upgrade to a supported version of the software before the patch can be applied. An upgrade to 10.12 RP3 is recommended by Citrix. The cloud versions of XenMobile have been automatically updated, so no action is required.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.