Select Page

Citrix today released patches for multiple new security vulnerabilities affecting its Citrix Endpoint Management (CEM), also known as XenMobile, a product made for enterprises to help companies manage and secure their employees’ mobile devices remotely.

Citrix Endpoint Management offers businesses mobile device management (MDM) and mobile application management (MAM) capabilities. It allows companies to control which apps their employees can install while ensuring updates and security settings are applied to keep business information protected.

According to Citrix, there are a total of 5 vulnerabilities that affect on-premise instances of XenMobile servers used in enterprises to manage all apps, devices, or platforms from one central location.

“Remediations have already been applied to cloud versions, but hybrid rights users need to apply the upgrades to any on-premises instance,” the company said in a post today.

If left unpatched and exploited successfully, the newly identified security vulnerabilities could collectively allow unauthenticated attackers to gain administrative privileges on affected XenMobile Servers.

“We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” the company warned.

The two vulnerabilities—tracked as CVE-2020-8208 and CVE-2020-8209 and rated as critical—impact following XenMobile Server versions:

  • XenMobile Server 10.12 before RP2
  • XenMobile Server 10.11 before RP4
  • XenMobile Server 10.10 before RP6
  • XenMobile Server before 10.9 RP5

Whereas, the other three security vulnerabilities—tracked as CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212 and rated medium/low in severity—resides in the following versions:

  • XenMobile Server 10.12 before RP3
  • XenMobile Server 10.11 before RP6
  • XenMobile Server 10.10 before RP6
  • XenMobile Server before 10.9 RP5

One of the critical flaws (CVE-2020-8209), discovered by Andrey Medov of Positive Technologies, could allow an unauthenticated attacker to read arbitrary files outside the web-server root directory, including configuration files and encryption keys for sensitive data.

“Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access,” Mendov explained.

Therefore, with access to the domain account, the remote attacker can target other external company resources, such as corporate mail, VPN, and web applications.​

images from Hacker News