Multiple Vulnerabilities in Citrix XenMobile Server Could Allow for Arbitrary File Read

ITS ADVISORY NUMBER:

2020-114

DATE(S) ISSUED:

Wednesday, August 12, 2020

SUBJECT:

Multiple Vulnerabilities in Citrix XenMobile Server Could Allow for Arbitrary File Read

OVERVIEW:

Multiple vulnerabilities have been discovered in Citrix XenMobile Server, the most severe of which could allow for reading of arbitrary files on the server. XenMobile is a software that provides mobile device management and mobile application management. Successful exploitation of the most severe of theses vulnerabilities could allow for arbitrary file read, resulting in access to configuration data and further attacks.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

XenMobile Server 10.12 before RP3
XenMobile Server 10.11 before RP6
XenMobile Server 10.10 before RP6
XenMobile Server before 10.9 RP5

RISK:

Government:

Large and medium government entities: Medium

Small government entities: Medium

Business:

Large and medium business entities: Medium

Small business entities: Medium

Home Users: Medium

DESCRIPTION:

Multiple vulnerabilities have been discovered in Citrix XenMobile Server, the most severe of which could allow for reading of arbitrary files on the server. Details of these vulnerabilities are as follows:

A path traversal vulnerability that could allow reading of arbitrary files outside the web server root directory (CVE-2020-8209).
One additional critical rated vulnerability (CVE-2020-8208).
Multiple medium or low severity vulnerabilities (CVE-2020-8210, CVE-2020-8211, CVE-2020-8212).

Successful exploitation of the most severe of theses vulnerabilities could allow for arbitrary file read, resulting in access to configuration data and further attacks.

ACTIONS:

After appropriate testing, immediately apply updates provided by Citrix to vulnerable systems.

Reset all password of logged in users over the past 120 days in case your organization was targeted by cyber threat actors.
Apply the Principle of Least Privilege to all systems and services.
Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Citrix:
https://support.citrix.com/article/CTX277457

Positive Technologies:
https://www.ptsecurity.com/ww-en/about/news/citrix-fixes-xenmobile-vulne...

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8212