Critical Flaws Affect Citrix Endpoint Management (XenMobile Servers)

Citrix today released patches for multiple new security vulnerabilities affecting its Citrix Endpoint Management (CEM), also known as XenMobile, a product made for enterprises to help companies manage and secure their employees’ mobile devices remotely.

Citrix Endpoint Management offers businesses mobile device management (MDM) and mobile application management (MAM) capabilities. It allows companies to control which apps their employees can install while ensuring updates and security settings are applied to keep business information protected.

According to Citrix, there are a total of 5 vulnerabilities that affect on-premise instances of XenMobile servers used in enterprises to manage all apps, devices, or platforms from one central location.

“Remediations have already been applied to cloud versions, but hybrid rights users need to apply the upgrades to any on-premises instance,” the company said in a post today.

If left unpatched and exploited successfully, the newly identified security vulnerabilities could collectively allow unauthenticated attackers to gain administrative privileges on affected XenMobile Servers.

> “We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” the company warned.

The two vulnerabilities—tracked as CVE-2020-8208 and CVE-2020-8209 and rated as critical—impact following XenMobile Server versions:

• XenMobile Server 10.12 before RP2
• XenMobile Server 10.11 before RP4
• XenMobile Server 10.10 before RP6
• XenMobile Server before 10.9 RP5

Whereas, the other three security vulnerabilities—tracked as CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212 and rated medium/low in severity—resides in the following versions:

• XenMobile Server 10.12 before RP3
• XenMobile Server 10.11 before RP6
• XenMobile Server 10.10 before RP6
• XenMobile Server before 10.9 RP5

One of the critical flaws (CVE-2020-8209), discovered by Andrey Medov of Positive Technologies, could allow an unauthenticated attacker to read arbitrary files outside the web-server root directory, including configuration files and encryption keys for sensitive data.

> “Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access,” Mendov explained.

Therefore, with access to the domain account, the remote attacker can target other external company resources, such as corporate mail, VPN, and web applications.

What’s worse, according to the researcher, is that the attacker who has managed to read the configuration file can access sensitive data, like database password (local PostgreSQL by default and a remote SQL Server database in some cases).

However, since the database is stored inside the corporate perimeter and cannot be accessed from the outside, Mendov said, “this attack vector can only be used in complex attacks, for example, with the involvement of an insider accomplice.”

> “The latest rolling patches that need to be applied for versions 10.9, 10.10, 10.11, and 10.12 are available immediately,” Citrix notes in a blog post.

“Any versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch. We recommend that you upgrade to 10.12 RP3, the latest supported version.”

Since Citrix products have recently emerged as one of the favorite targets for hackers after wild exploitation of Citrix ADC, Gateway and Sharefile vulnerabilities, users are highly recommended to patch their systems to the latest versions of the software.

To be noted, the company has not yet revealed technical details of the vulnerabilities but has already pre-notified several major CERTs around the world and its customers on July 23.

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.