Critical Flaws Affect Citrix Endpoint Management (XenMobile Servers)

Citrix now produced patches for numerous new stability vulnerabilities affecting its Citrix Endpoint Administration (CEM), also regarded as XenMobile, a product or service manufactured for enterprises to assist corporations manage and safe their employees’ mobile equipment remotely.

Citrix Endpoint Management offers enterprises mobile product management (MDM) and mobile application management (MAM) capabilities. It enables businesses to control which apps their employees can put in although making sure updates and security options are applied to keep company information secured.

According to Citrix, there are a full of 5 vulnerabilities that have an impact on on-premise scenarios of XenMobile servers used in enterprises to take care of all apps, devices, or platforms from just one central place.


“Remediations have now been used to cloud variations, but hybrid rights buyers have to have to implement the upgrades to any on-premises instance,” the company stated in a write-up right now.

If left unpatched and exploited successfully, the freshly determined security vulnerabilities could collectively allow unauthenticated attackers to achieve administrative privileges on influenced XenMobile Servers.

“We advise these upgrades be created instantly. Even though there are no known exploits as of this creating, we do foresee destructive actors will go speedily to exploit,” the firm warned.

The two vulnerabilities—tracked as CVE-2020-8208 and CVE-2020-8209 and rated as critical—impact following XenMobile Server variations:

  • XenMobile Server 10.12 ahead of RP2
  • XenMobile Server 10.11 before RP4
  • XenMobile Server 10.10 ahead of RP6
  • XenMobile Server right before 10.9 RP5

Whereas, the other a few security vulnerabilities—tracked as CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212 and rated medium/low in severity—resides in the following versions:

  • XenMobile Server 10.12 before RP3
  • XenMobile Server 10.11 before RP6
  • XenMobile Server 10.10 right before RP6
  • XenMobile Server before 10.9 RP5

One of the essential flaws (CVE-2020-8209), learned by Andrey Medov of Optimistic Technologies, could allow an unauthenticated attacker to examine arbitrary documents outside the web-server root directory, which include configuration documents and encryption keys for delicate info.

“Exploitation of this vulnerability lets hackers to get hold of information and facts that can be practical for breaching the perimeter, as the configuration file usually suppliers area account credentials for LDAP obtain,” Mendov explained.

As a result, with accessibility to the domain account, the remote attacker can goal other external organization means, these as company mail, VPN, and web purposes.

What is even worse, in accordance to the researcher, is that the attacker who has managed to read through the configuration file can obtain delicate information, like databases password (local PostgreSQL by default and a remote SQL Server databases in some cases).

However, since the databases is stored inside the company perimeter and cannot be accessed from the exterior, Mendov mentioned, “this attack vector can only be made use of in advanced attacks, for instance, with the involvement of an insider accomplice.”

“The most up-to-date rolling patches that have to have to be applied for variations 10.9, 10.10, 10.11, and 10.12 are readily available promptly,” Citrix notes in a website put up.

“Any versions prior to 10.9.x need to be upgraded to a supported edition with the most up-to-date rolling patch. We recommend that you update to 10.12 RP3, the hottest supported model.”

Considering that Citrix products and solutions have not long ago emerged as one particular of the most loved targets for hackers just after wild exploitation of Citrix ADC, Gateway and Sharefile vulnerabilities, consumers are highly advisable to patch their devices to the latest versions of the application.

To be mentioned, the corporation has not however exposed technological details of the vulnerabilities but has now pre-notified various key CERTs all around the world and its prospects on July 23.

Fibo Quantum