Citrix Warns of Critical Flaws in XenMobile Server


Citrix is urging users to immediately patch a pair of critical flaws in its flagship mobile device management software. If exploited, the flaws could allow remote, unauthorized attackers to access domain account credentials – ultimately opening the door to a treasure trove of corporate data, including email and web applications. The flaws exist in Citrix Endpoint Management (CEM), often referred to as XenMobile Server, which enables businesses to manage employees’ mobile devices and mobile applications by controlling device security settings and updates. Overall, five vulnerabilities were discovered – two of which (CVE-2020-8208 and CVE-2020-8209) are rated critical in severity. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/06145744/Threatpost_CC_webinar-269x300.png)](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) Register today! “We recommend these upgrades be made immediately,” Fermin J. Serna, Chief Information Security Officer at Citrix, [said in a Tuesday post](<https://www.citrix.com/blogs/2020/08/11/citrix-provides-security-update-on-citrix-endpoint-management/>). “While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit.” One of the two critical flaws discovered, CVE-2020-8209, is a path traversal flaw that stems from insufficient input validation. Path traversal bugs stem from web security glitches that enable bad actors to read arbitrary files on the server that is running an application. That’s the case here, as Positive Technologies expert Andrey Medov, who discovered the flaw, [said that](<https://www.ptsecurity.com/ww-en/about/news/citrix-fixes-xenmobile-vulnerability-found-by-positive-technologies/>) attackers can exploit the flaw by convincing users to follow a specially crafted URL. They would then be able to access arbitrary files outside the web server root directory, including configuration files and encryption keys for sensitive data. “Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP [Lightweight Directory Access Protocol; an industry standard protocol used for accessing distributed directory information services over an IP network] access,” said Medov in a statement. “With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications. Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases).” Specifically impacted at a critical level by the dual vulnerabilities is: XenMobile Server 10.12 before RP2, XenMobile Server 10.11 before RP4, XenMobile Server 10.10 before RP6 and XenMobile Server before 10.9 RP5. The remaining three flaws (CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212) are rated medium- and low-severity. Further details on these vulnerabilities, as well as on the second critical flaw (CVE-2020-8208) have not been published; Threatpost has reached out to Citrix for comment. These lesser severity flaws affect CEM versions: XenMobile Server 10.12 before RP3, XenMobile Server 10.11 before RP6, XenMobile Server 10.10 before RP6 and XenMobile Server before 10.9 RP5. “The latest rolling patches that need to be applied for versions 10.9, 10.10, 10.11, and 10.12 are available immediately,” said Serna. “Any versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch. We recommend that you upgrade to 10.12 RP3, the latest supported version.” Citrix joins in on a slew of companies issuing regularly scheduled security updates this week, including [Intel](<https://threatpost.com/critical-intel-flaw-motherboards-server-compute-modules/158270/>), which stomped out a critical-severity vulnerability affecting several of its motherboards, server systems and compute modules; [Microsoft](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>), which fixed 120 bugs including two under active attack; and [Adobe](<https://threatpost.com/critical-adobe-acrobat-reader-bugs-rce/158261/>), which patched 11 critical security holes in Acrobat and Reader. Earlier in the year, [Citrix in January grappled with](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) a critical vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, as well as [multiple vulnerabilities in these same products](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) in June allowing code injection, information disclosure and denial of service. _**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**” brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._ Write a comment **Share this article:** * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)