Critical flaw in Citrix System’s XenMobile servers lets hackers steal confidential information


Citrix System’s XenMobile servers vulnerable to 5 flaws which allow hackers to steal files including configuration files and encryption keys

Security researchers have discovered five critical vulnerabilities in the Citrix Systems’ XenMobile Server. The vulnerabilities were discovered by Andrey Medov of Positive Technologies and other security researchers and could let attackers read files, including configuration files and encryption keys.

Citrix System’s XenMobile Servers provide mobile device management and application management functions to clients. It is also deployed as “Citrix Endpoint Management (CEM)” as a cloud service. The vulnerabilities discovered are “CVE-2020-8208”, “CVE-2020-8209”, “CVE-2020-8210”, “CVE-2020-8211”, and “CVE-2020-8212.”

“Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access,” explained Medov, referring to lightweight directory access protocol, servers that are mainly used for central storage of accounts. “With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications,” he added.

Medov states that “Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database passwords — local PostgreSQL by default and a remote SQL Server database in some cases.”

The Citrix System’s XenMobile Server vulnerabilities range from “Critical” to “medium” and “Low.” The vulnerability is in versions 10.8 to 10.12 of Citrix XenMobile, also called Citrix Endpoint Management, but not in the cloud versions of the system. If your system is at risk, the company is urging users to update their software. The level of risk depends on the version, with Citrix advising some to update immediately while advising others they can update as part of their regular patching schedule. The company released “10.12 RP3”, “10.11 RP6”, “10.10 RP6”, and “10.9 RP5” versions of the server that fixed the vulnerabilities.

The patch addresses the flaw spotted by Medov as well as a handful of related vulnerabilities reported by Glyn Wintle of Tradecraft and Kristian Bremberg of Detectify, Citrix said.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments