Citrix reported that it anticipates malicious actors “will move promptly to exploit” two critical flaws in its mobile system administration application.
Citrix is urging end users to instantly patch a pair of critical flaws in its flagship cellular machine management program. If exploited, the flaws could enable remote, unauthorized attackers to obtain area account credentials – in the end opening the door to a treasure trove of corporate facts, which include email and web applications.
The flaws exist in Citrix Endpoint Management (CEM), often referred to as XenMobile Server, which enables organizations to manage employees’ cellular gadgets and cell applications by controlling gadget security options and updates. All round, 5 vulnerabilities were found out – two of which (CVE-2020-8208 and CVE-2020-8209) are rated critical in severity.
“We advise these upgrades be manufactured promptly,” Fermin J. Serna, Chief Facts Security Officer at Citrix, said in a Tuesday put up. “While there are no recognized exploits as of this creating, we do foresee malicious actors will move rapidly to exploit.”
Just one of the two critical flaws discovered, CVE-2020-8209, is a path traversal flaw that stems from insufficient input validation. Path traversal bugs stem from web security glitches that enable terrible actors to read arbitrary data files on the server that is managing an software.
That is the case here, as Favourable Technologies professional Andrey Medov, who found the flaw, stated that attackers can exploit the flaw by convincing buyers to observe a specifically crafted URL. They would then be able to accessibility arbitrary data files outside the web server root listing, such as configuration files and encryption keys for delicate details.
“Exploitation of this vulnerability enables hackers to obtain info that can be practical for breaching the perimeter, as the configuration file frequently suppliers domain account qualifications for LDAP [Lightweight Directory Access Protocol; an industry standard protocol used for accessing distributed directory information services over an IP network] accessibility,” mentioned Medov in a statement. “With accessibility to the domain account, a remote attacker can use the attained information for authentication on other exterior business assets, like company mail, VPN, and web purposes. Even worse even now, an attacker who has managed to examine the configuration file can entry delicate knowledge, this kind of as databases password (regional PostgreSQL by default and a distant SQL Server databases in some situations).”
Exclusively impacted at a critical level by the dual vulnerabilities is: XenMobile Server 10.12 in advance of RP2, XenMobile Server 10.11 just before RP4, XenMobile Server 10.10 just before RP6 and XenMobile Server in advance of 10.9 RP5.
The remaining a few flaws (CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212) are rated medium- and low-severity. Further facts on these vulnerabilities, as perfectly as on the second critical flaw (CVE-2020-8208) have not been released Threatpost has arrived at out to Citrix for remark.
These lesser severity flaws have an effect on CEM versions: XenMobile Server 10.12 before RP3, XenMobile Server 10.11 before RP6, XenMobile Server 10.10 ahead of RP6 and XenMobile Server prior to 10.9 RP5.
“The most up-to-date rolling patches that want to be applied for versions 10.9, 10.10, 10.11, and 10.12 are out there straight away,” said Serna. “Any versions prior to 10.9.x ought to be upgraded to a supported model with the hottest rolling patch. We advise that you update to 10.12 RP3, the latest supported model.”
Citrix joins in on a slew of companies issuing regularly scheduled security updates this 7 days, which includes Intel, which stomped out a critical-severity vulnerability impacting various of its motherboards, server methods and compute modules Microsoft, which mounted 120 bugs including two below lively assault and Adobe, which patched 11 critical security holes in Acrobat and Reader.
Earlier in the yr, Citrix in January grappled with a critical vulnerability (CVE-2019-19781) in the Citrix Software Delivery Controller (ADC) and Citrix Gateway solutions, as nicely as numerous vulnerabilities in these exact same products in June allowing for code injection, details disclosure and denial of assistance.
Complimentary Threatpost Webinar: Want to master far more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings major cloud-security professionals from Microsoft and Fortanix together to explore how Confidential Computing is a match changer for securing dynamic cloud facts and avoiding IP publicity. Sign up for us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, computer software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Private Computing Consortium. Register Now.