This week Citrix engineers released a number of patches for Citrix Endpoint Management, or rather the XenMobile Server corporate mobile device management system. These issues give an attacker the ability to gain administrative privileges on vulnerable systems.
The severity of the issues encountered, which received CVE IDs CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs depending on the version of XenMobile being used. Thus, vulnerabilities will be critical for XenMobile versions from 10.12 to RP2, from 10.11 to RP4, from 10.10 to RP6 and all versions up to 10.9 RP5. In turn, for XenMobile versions from 10.12 to RP3, from 10.11 to RP6, from 10.10 to RP6 and up to 10.9 RP5, the threat will be low to medium.
The company's specialists write that all versions of 10.9.x should be immediately updated (preferably to the latest 10.12 RP3), since some problems can be used remotely and without authentication. At the moment, more than 70% of potentially vulnerable customers who were previously notified of problems have already installed the available fixes.
“We recommend updating immediately. Although there are currently no known exploits (for these problems), we expect attackers to use them very soon, ”the company warns.
While Citrix experts do not disclose the details of the issues found, the vulnerability CVE-2020-8209 discovered by Positive Technologies specialist Andrey Medov. He said that it belongs to the Path Traversal class and is related to insufficient validation of the input data.
"The exploitation of this vulnerability allows obtaining information that can be useful when crossing the perimeter, since the configuration file often stores a domain account for connecting to LDAP," the expert says. – A remote attacker can use the received data for authentication on other external company resources: corporate mail, VPN, web applications. In addition, having read the configuration file, an attacker can gain access to important data, for example, a password from a database (by default, from a local PostgreSQL, in some cases, from a remote SQL Server). However, given that the database is located inside the corporate perimeter and cannot be connected to it from the outside, this vector can only be used in complex attacks, for example, with the help of an accomplice within the company. "