Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Citrix Expects Hackers to Exploit Newly Patched XenMobile Vulnerabilities

Citrix on Tuesday released patches to address multiple vulnerabilities in Citrix Endpoint Management (CEM), which allow an attacker to gain administrative privileges on affected systems.

Citrix on Tuesday released patches to address multiple vulnerabilities in Citrix Endpoint Management (CEM), which allow an attacker to gain administrative privileges on affected systems.

Often referred to as XenMobile, the Citrix Endpoint Management (CEM) server provides businesses with management capabilities for both mobile devices and applications and allows employees to work on both enterprise-provided and own devices.

The severity of the identified vulnerabilities, which carry the CVE identifiers CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs based on the installed version of XenMobile.

Thus, the vulnerabilities are considered critical for XenMobile server 10.12 before RP2, 10.11 before RP4, 10.10 before RP6, and all versions before 10.9 RP5. For XenMobile Server versions 10.12 before RP3, 10.11 before RP6, 10.10 before RP6, and releases prior to 10.9 RP5, impact is medium or low.

“The latest rolling patches that need to be applied for versions 10.9, 10.10, 10.11, and 10.12 are available immediately. Any versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch. We recommend that you upgrade to 10.12 RP3, the latest supported version,” Fermin Serna, Citrix’s CISO, notes in a blog post.

The company did not provide technical details on the addressed vulnerabilities, but revealed that it pre-notified CERTs and customers on July 23. To date, more than 70% of the impacted customers that were pre-notified have installed the available patches.

“We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” Serna warned.

Responding to a SecurityWeek inquiry, Citrix refrained from providing information on the type of addressed vulnerabilities, but revealed that they could be exploited remotely, without authentication.

Advertisement. Scroll to continue reading.

“Collectively, these issues could result in a remote unauthenticated attacker gaining administrative control of a Citrix Endpoint Management (CEM) server,” a Citrix spokesperson said.

The company credited Andrey Medov of Positive Technologies, Glyn Wintle of Tradecraft, and Kristian Bremberg of Detectify for identifying the vulnerabilities.

Medov reveals that the security flaw he identified, namely CVE-2020-8209, is “related to Path Traversal and is a result of insufficient input validation.”

An unauthenticated attacker using a specially crafted URL could exploit the flaw to access sensitive data such as configuration files and encryption keys that are stored outside the web server root directory. If the compromised data includes domain account credentials for LDAP access, the attacker could then breach the perimeter, the researcher says.

“With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications. Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases),” Medov notes.

The researcher also points out that the flaw isn’t trivial to exploit: “However, taking into account that the database is stored inside the corporate perimeter and cannot be accessed from the outside, this attack vector can only be used in complex attacks, for example, with the involvement of an insider accomplice.”

The cloud version of XenMobile is not impacted by these vulnerabilities.

Related: Vulnerability Allows Remote Hacking of Devices Running Citrix Workspace App

Related: Hackers Scanning for Citrix Systems Affected by Recent Vulnerabilities

Related: Citrix Patches 11 Vulnerabilities in Networking Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.