Citrix engineers released a number of Citrix Endpoint Management patches this week. Citrix expects attacks on XenMobile Server corporate mobile device management systems. These issues give an attacker the ability to gain administrative privileges on vulnerable systems.The severity of the encountered issues, which received CVE IDs CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs depending on the version of XenMobile used.
Thus, vulnerabilities will be critical for XenMobile versions from 10.12 to RP2, from 10.11 to RP4, from 10.10 to RP6 and all versions up to 10.9 RP5. In turn, for XenMobile versions 10.12 to RP3, 10.11 to RP6, 10.10 to RP6 and up to 10.9 RP5, the threat will be low to medium.
The company’s specialists write that all versions of 10.9.x should be immediately updated (preferably to the latest 10.12 RP3), since some problems can be used remotely and without authentication. Currently, more than 70% of potentially vulnerable customers who were previously notified of problems have already installed the available fixes.
“We recommend updating immediately. Although there are currently no known exploits [for these problems], we expect attackers to use them very soon”, — warns the company.
Let me remind you that Citrix users are quite inert, and after patches from a past dangerous bug, 20% of companies remained vulnerable. You should not expect that some noble hackers will patch your systems for you, although this has already happened.
Although Citrix experts do not disclose the details of the discovered problem, Positive Technologies specialist Andrey Medov discovered the CVE-2020-8209 vulnerability. He said that it belongs to the Path Traversal class and is related to insufficient validation of the input data.
“The exploitation of this vulnerability provides information that can be useful when crossing the perimeter, since the configuration file often stores a domain account for connecting to LDAP”, — says the expert.
A remote attacker can use the received data to authenticate to other external company resources: corporate mail, VPN, web applications. In addition, by reading the configuration file, an attacker can gain access to important data, for example, the password from the database (by default – from the local PostgreSQL, in some cases – from the remote SQL Server).
However, given that the database is located inside the corporate perimeter and cannot be connected to it from the outside, this vector can only be used in complex attacks, for example, with the help of an accomplice within the company.