Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

Multiple vulnerabilities in Citrix XenMobile Server

Last updated August 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Multiple vulnerabilities were discovered in Citrix Endpoint Management (CEM) on-premise instances, also referred to as XenMobile Server. The following CVEs are part of the CTX277457 security bulletin: CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Of these, CVEs 2020-8208 and 2020-8209 are considered critical. Details on CVE-2020-8209 are available from Positive Technologies here.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

General Information

Offensive Application
remote
Utility Class
infoleak
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Andrey Medov, Positive Technologies
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis

Description

Citrix published a security bulletin on Wednesday, August 12, citing five vulnerabilities in XenMobile Server, their Citrix Endpoint Management (CEM) on-premise instances. The CVEs assigned are CVE-2020-8208 through CVE-2020-8212. CVE-2020-8208 and CVE-2020-8209 are both critical. CVE-2020-8209 is a path traversal vulnerability in the XenMobile Server and stands out for its potential impact. Successful exploitation would allow unauthenticated attackers who follow a specially-crafted URL to read arbitrary files outside the web root directory, including configuration files and encryption keys.

CVSSv3 scores are unknown as of August 12, 2020, and no further details on the vulnerabilities were immediately available.

Affected products

Products affected by critical vulnerabilities:

Versions affected by low- and medium-severity vulnerabilities:

  • XenMobile Server 10.12 before RP3
  • XenMobile Server 10.11 before RP6
  • XenMobile Server 10.10 before RP6
  • XenMobile Server before 10.9 RP5

Citrix has said that remediations have already been applied to cloud versions, but that users with on-premise versions will need to apply upgrades. The latest information on versions and patch availability can be found in Citrix’s security bulletin here.

Rapid7 analysis

Other critical Citrix vulnerabilities this year have seen quick and sustained exploitation—the company noted in a blog that “while there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit.” Rapid7 research teams have no reason to think otherwise, and the availability of patches will likely accelerate malicious actors’ ability to develop and refine successful attacks.

A note on CVE-2020-8209 specifically: In many cases, arbitrary file reads are exploitation primitives with limited utility unto themselves. In this case, however, successful exploitation of CVE-2020-8209 would allow attackers to read the target server’s configuration files, which may disclose domain and/or database credentials and other sensitive information with high utility for executing multi-stage attacks against a corporate environment. As far as primitives go, CVE-2020-8209’s value to both penetration testers and adversaries is high.

Guidance

Citrix customers should apply the latest rolling patches for XenMobile versions affected by critical vulnerabilities as soon as possible. Citrix has advised that any XenMobile Server versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch; their recommendation is that customers should upgrade to 10.12 RP3, the latest supported version. There are no known workarounds or mitigations as of August 12, 2020.