There were two critical vulnerabilities discovered in XenMobile Server / Citrix Endpoint Management (CEM). An unauthenticated attacker may exploit the vulnerabilities tracked as CVE-2020-8208 and CVE-2020-8209 to get access to the credentials of a domain account, acquire full control of a vulnerable XenMobile Server, and access the email, VPN, and web applications and get hold of the sensitive company and patient information.
Numerous companies use CEM/ XenMobile Server for managing its employees’ mobile devices, download updates, manage security settings, and to support different in-house software applications. With the vulnerabilities, hackers could move to set up exploits quickly, hence immediate patching is essential.
Only one piece of information is available with regard to the critical vulnerability CVE-2020-8209. Insufficient input verification causes this path traversal vulnerability. In case an unauthenticated hacker finds this vulnerability, he can access the arbitrary files used in a program on the server. The files include configuration files, and so the hacker would be able to get the encryption keys and decrypt sensitive data. With the exploited vulnerabilities, a user can be convinced to go to a particular web page.
Positive Technologies’ Andrey Medov, who discovered the vulnerability, said that exploiting this vulnerability enables hackers to acquire data that may be used for breaching the perimeter since the configuration file usually holds the credentials of the domain account for LDAP access. A remote attacker can access the domain account and use the acquired information for authenticating other external firm resources, such as corporate mail, web apps and VPNs. An attacker could also view the configuration file and access sensitive information, including database passwords.
Three more vulnerabilities monitored as CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212, have been identified as medium and low severity. Citrix has not released any facts on these vulnerabilities yet.
The critical vulnerabilities impact the following:
- XenMobile Server 10.12 prior to RP2
- XenMobile Server 10.11 prior to RP4
- XenMobile Server prior to 10.9 RP5
- XenMobile Server 10.10 prior to RP6
The vulnerabilities with medium and low severity impact the following:
- XenMobile Server 10.12 prior to RP3
- XenMobile Server prior to 10.9 RP5
- XenMobile Server 10.11 prior to RP6
- XenMobile Server 10.10 prior to RP6
Citrix is convinced it that hackers could quickly create exploits and begin exploiting the vulnerabilities, consequently, prompt patching is highly recommended.
Citrix has issued patches for the following XenMobile Server versions: 10.9, 10.10, 10.11, and 10.12. Users that have version 10.9x of XenMobile Server need to upgrade to a software version that is supported prior to being able to apply the patch. Citrix recommended an upgrade to 10.12 RP3. The cloud versions of XenMobile get automatic updates, so there is no action needed.