Five vulnerabilities, including two critical flaws, have been identified in Citrix Endpoint Management (CEM) – also known as XenMobile Server – which is used by businesses to manage employees’ mobile devices and applications, apply updates, and manage security settings.
The critical flaws – tracked as CVE-2020-8208 and CVE-2020-8209 – could be exploited remotely and would allow an unauthenticated individual to access domain account credentials and take control of vulnerable XenMobile Servers, which would allow unauthorized access to email, VPN, web applications, and sensitive corporate data. Information has only been released on one of the critical flaws, CVE-2020-8209, which is a path traversal vulnerability caused by insufficient input validation.
“Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access,” said Andrey Medov of Positive Technologies, who has been credited with identifying the vulnerability.
The critical flaws could be exploited by convincing a user to visit a specially crafted webpage, which would allow the attacker to read arbitrary files running the application, including its configuration files, and access the encryption keys for sensitive data. Citrix anticipates malicious actors moving quickly to exploit the flaws.
These two vulnerabilities affect the following XenMobile Server versions:
- XenMobile Server 10.12 prior to RP2
- XenMobile Server 10.11 prior to RP4
- XenMobile Server 10.10 prior to RP6
- XenMobile Server prior to 10.9 RP5
The remaining three vulnerabilities: CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212 are rated as medium and low severity and affect the following XenMobile versions:
- XenMobile Server 10.12 prior to RP3
- XenMobile Server 10.11 prior to RP6
- XenMobile Server 10.10 prior to RP6
- XenMobile Server prior to 10.9 RP5
Due to the high potential for exploitation and the seriousness of the critical flaws, Citrix strongly advises all users of the vulnerable software versions to apply the patches immediately. While there were no known exploits at the time of the release of the patches, critical vulnerabilities of this nature are likely to be exploited quickly.
Patches are available for customers using XenMobile Server versions 10.9, 10.10, 10.11 and 10.12. Customers using version 10.9x will first be required to upgrade to a supported version of the software before applying the patch. The XenMobile cloud versions of the software will be automatically updated, so no action is required.