Citrix Urges Patch of Critical XenMobile Server Vulnerabilities

August 12, 2020 - Citrix is urging organizations to apply a patch for two critical vulnerabilities found in its XenMobile Server, a mobile device management platform, as hackers will likely quickly move to exploit the flaw. 

In healthcare, the XenMobile’s mobile device management toolkit can support in-house apps, such as those to view patient information through a mobile device, among other uses. 

Five vulnerabilities were found and labeled CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, which impact the XenMobile Server versions 10.12 prior to RP2, 10.11 before RP4, 10.0 before RP6, and 10.9 prior to 10.9 RP5. Two of these are ranked critical. 

The vulnerability is found in the Endpoint Management server, which controls device updates and security settings. A successful exploit would allow an attacker to gain remote, unauthorized access to domain account credentials and a host of enterprise data, such as web applications and emails. 

Caused by insufficient input validation, CVE-2020-8209 is a path traversal flaw: commonly caused by web security bugs. By successfully exploiting the flaw, an attacker could read arbitrary files running the application. 

Discovered by researcher Andrey Medov of Positive Technologies, he explained that a hacker could use a specially crafted URL to read files outside of the web server root directory, such as its configuration files and the encryption keys for sensitive data. 

What’s worse, no authorization was needed to exploit the flaw. 

“Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access,” Medov wrote. 

“With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications,” he added. "An attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases).” 

Fortunately, as the database is stored within the perimeter of the enterprise and can’t be accessed from outside of the organization, the exploit can only be used in complex attack methods – such as those with help from someone inside of the organization. 

Any customers using versions of the platform prior to 10.9x will need to be upgraded to a supported version to receive the newest rolling patch, Citrix warned. Those using cloud versions of XenMobile won’t need to take action, as the patch has already been applied. 

Hybrid rights users will also need to apply software upgrades to all on-premises uses. And much like with Microsoft’s recent critical patches, organizations were told to immediately apply the patch as the vendor anticipates that hackers will move quickly to exploit the vulnerabilities. 

Customers and global CERTs have been notified, and “a vast majority” have already applied the patch. 

Given the increase in attacks focused on exploiting known vulnerabilities the sector’s patch management struggles, healthcare organizations should move to quickly patch as it could pose a serious risk to the enterprise. 

Earlier this year, the Department of Homeland Security Cybersecurity and Infrastructure Agency warned organizations to patch another critical Citrix vulnerability found in its Application Delivery Controller and Gateway. Hackers were actively scanning to find vulnerable gateways that organizations had failed to patch. 

A month later, reports showed that hackers had successfully compromised a number of systems that failed to apply the software update, which left the servers vulnerable to attack.