Citrix has issued five patches covering a series of newly discovered Common Vulnerabilities and Exposures (CVEs) in its Citrix Endpoint Management (CEM), aka XenMobile enterprise mobility management solution, and is urging customers to update their deployments and get out ahead of their inevitable exploitation.
Described by Citrix as critical, CVE-2020-8208, -8209, -8210, -8211 and -8212 affect XenMobile Server versions 10.12 (before rolling patch two), 10.11 (before rolling patch four), 10.10 (before rolling patch six, and 10.9 (before rolling patch five). Customers using the cloud version of XenMobile are not affected.
Citrix CISO Fermin Serna said: “We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit.
“As such, prior to today’s Security Bulletin, we advised customers with current active maintenance to apply the latest rolling patches and saw a vast majority take our advice.
“Further, we have pre-briefed a number of major CERTs around the world,” he said.
“Remediations have already been applied to cloud versions, but hybrid rights users need to apply the upgrades to any on-premise instance.”
The vulnerabilities could have allowed attackers to read arbitrary files outside the web server root directory – including configuration files and encryption keys safeguarding sensitive data, without needing authorisation, among other things.
Positive Technologies’ researcher Andrey Medov, who uncovered CVE-2020-8209 – which is related to Path Traversal and is a result of insufficient input validation, said: “Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access.
“With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN and web applications. Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases).
“However, taking into account that the database is stored inside the corporate perimeter and cannot be accessed from the outside, this attack vector can only be used in complex attacks, for example, with the involvement of an insider accomplice,” noted Medov.