Patches have been released to address two critical vulnerabilities in Citrix Endpoint Management (CEM) / XenMobile Server. The flaws could be exploited by an unauthenticated individual to access domain account credentials, take complete management of a XenMobile Server, and view VPN, email, and web applications and obtain sensitive corporate information.
One of the flaws was discovered by Andrey Medov of Positive Technologies, who said: “Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access,” said Medev. With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications. Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases).”
A lot of companies use CEM/XenMobile Server in order to control staff members’ mobile devices, run updates, configure security measures, and the toolkit is used to support many internal applications. Due to the easily-exploitative nature of the flaws it will be no surprise to see cybercriminals targeting it very soon.
The flaws have been assigned CVE-2020-8208 and CVE-2020-8209. So far, details have only been made available on CVE-2020-8209. It is a ‘path traversal vulnerability’ as a result of inadequate input validation. Should it be targeted and exploited, a hacker could view arbitrary files on the server running an application. Data could be accessed in configuration files and encryption keys could be obtained and used to decrypt sensitive data.
Three other vulnerabilities, tracked as CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212, have also been patched. All are rated medium- or low-severity. Information on these flaws has not yet been released by Citrix.
CVE-2020-8208 and CVE-2020-8209 impact:
- XenMobile Server 10.12 earlier than RP2
- XenMobile Server 10.11 earlier than RP4
- XenMobile Server 10.10 earlier than RP6
- XenMobile Server earlier than 10.9 RP5
The medium and low severity flaws impact:
- XenMobile Server 10.12 earlier than RP3
- XenMobile Server 10.11 earlier than RP6
- XenMobile Server 10.10 earlier than RP6
- XenMobile Server earlier than 10.9 RP5
Citrix has stated that the patches should be applied immediately as cybercriminals will be sure to create exploits quickly.
Citrix has not made available patches for XenMobile Server versions 10.9, 10.10, 10.11, and 10.12. Anyone who is running version 10.9x of XenMobile Server must upgrade to a supported version of the software prior to the patch being applied. An upgrade to 10.12 RP3 is also advised by Citrix. The cloud versions of XenMobile have been automatically updated, so no action is necessary to correct the vulnerabilities.