Citrix on Tuesday released patches to address multiple vulnerabilities in Citrix Endpoint Management (CEM), which allow an attacker to gain administrative privileges on affected systems.
Often referred to as XenMobile, the Citrix Endpoint Management (CEM) server provides businesses with management capabilities for both mobile devices and applications and allows employees to work on both enterprise-provided and own devices.
The severity of the identified vulnerabilities, which carry the CVE identifiers CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs based on the installed version of XenMobile.
Thus, the vulnerabilities are considered critical for XenMobile server 10.12 before RP2, 10.11 before RP4, 10.10 before RP6, and all versions before 10.9 RP5. For XenMobile Server versions 10.12 before RP3, 10.11 before RP6, 10.10 before RP6, and releases prior to 10.9 RP5, impact is medium or low.
“The latest rolling patches that need to be applied for versions 10.9, 10.10, 10.11, and 10.12 are available immediately. Any versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch. We recommend that you upgrade to 10.12 RP3, the latest supported version,” Fermin Serna, Citrix’s CISO, notes in a blog post.
The company did not provide technical details on the addressed vulnerabilities, but revealed that it pre-notified CERTs and customers on July 23. To date, more than 70% of the impacted customers that were pre-notified have installed the available patches.
“We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” Serna warned.
Responding to a SecurityWeek inquiry, Citrix refrained from providing information on the type of addressed vulnerabilities, but revealed that they could be exploited remotely, without authentication.
“Collectively, these issues could result in a remote unauthenticated attacker gaining administrative control of a Citrix Endpoint Management (CEM) server,” a Citrix spokesperson said.
The company credited Andrey Medov of Positive Technologies, Glyn Wintle of Tradecraft, and Kristian Bremberg of Detectify for identifying the vulnerabilities.
Medov reveals that the security flaw he identified, namely CVE-2020-8209, is “related to Path Traversal and is a result of insufficient input validation.”
An unauthenticated attacker using a specially crafted URL could exploit the flaw to access sensitive data such as configuration files and encryption keys that are stored outside the web server root directory. If the compromised data includes domain account credentials for LDAP access, the attacker could then breach the perimeter, the researcher says.
“With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications. Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases),” Medov notes.
The researcher also points out that the flaw isn’t trivial to exploit: “However, taking into account that the database is stored inside the corporate perimeter and cannot be accessed from the outside, this attack vector can only be used in complex attacks, for example, with the involvement of an insider accomplice.”
The cloud version of XenMobile is not impacted by these vulnerabilities.