Patches Available to Resolve Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server

Two critical vulnerabilities, tracked as CVE-2020-8208 and CVE-2020-8209, were identified in Citrix Endpoint Management (CEM) / XenMobile Server. An unauthenticated attacker could exploit the vulnerabilities to access the credentials of a domain account, take complete control of an insecure XenMobile Server, and gain access to email, VPN, and web apps and get sensitive company and patient records.

A lot of businesses use CEM/ XenMobile Server to take care of employees’ mobile gadgets, install updates, control security configurations, and to support various in-house software programs. The makeup of the vulnerabilities makes it possible for hackers to move to create exploits immediately, therefore prompt patching is necessary.

There is only information about the critical vulnerability CVE-2020-8209. It is a path traversal vulnerability caused by inadequate input verification. If an unauthenticated attacker exploits this vulnerability, he could view the arbitrary files running an application on the server. Those files consist of configuration files, so the attacker could obtain the encryption keys allowing the decryption of sensitive information. The vulnerabilities can be exploited by persuading a user to go to a specially designed page online.

Andrey Medov of Positive Technologies who discovered the vulnerability said that this vulnerability enables hackers to get data that could be used to breach the perimeter since the configuration file usually keeps the credentials to the domain account meant for LDAP access. Having domain account access allows a remote attacker to get data used for authentication on accessing other external organization resources, such as company email, VPN, and web apps. Moreover, an attacker who had viewed the configuration file could obtain sensitive information, including a database password.

There are three more vulnerabilities identified rated as medium and low severity. Citrix has not released information on the vulnerabilities tracked as CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212.

The critical vulnerabilities were found to impact the following devices:

XenMobile Server 10.12 prior to RP2
XenMobile Server 10.11 prior to RP4
XenMobile Server prior to 10.9 RP5
XenMobile Server 10.10 prior to RP6

The vulnerabilities with medium and low severity impact the following devices:

XenMobile Server 10.12 prior to RP3
XenMobile Server prior to 10.9 RP5
XenMobile Server 10.11 prior to RP6
XenMobile Server 10.10 prior to RP6

Citrix is convinced that hackers won’t take long to create exploits and begin exploiting the vulnerabilities, therefore it strongly recommends prompt patching.

Citrix has introduced patches recommended for XenMobile Server versions 10.9, 10.10, 10.11, and 10.12. Consumers that use version XenMobile Server 10.9x should upgrade to the software’s supported version before applying the patch. Citrix recommended an upgrade to 10.12 RP3. The XenMobile cloud versions get automatic updates, so there is no need to take any action.