Threat Response – Citrix XenMobile Server

11-08-2020

A SAFE DIGITAL JOURNEY

On the 11th of August Citrix released patches for critical vulnerabilities in the XenMobile Server [1]. XenMobile Server is a solution for mobile device management, such as phones, tablets and laptops. Several vulnerabilities have been registered in the patches with identifiers: CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, CVE-2020-8212. These vulnerabilities allow an attacker to execute arbitrary code on the server. Currently, there are no signs of active exploitation. In this message we inform you of the threat and potential mitigations.

Impact

The vulnerabilities allow an attacker to run arbitrary code on the server with administrator or root permissions. This makes the impact high.

Risk

Because XenMobile Server has to be reachable for the managed devices, it is typically accessible from external networks, allowing attackers to remotely exploit the vulnerabilities.

No public/active exploit code is available currently. This is expected in the short term, as the patches that were released can be used to reverse engineer the vulnerability [2]. Northwave assesses the risk of this vulnerability to be high.

Mitigation

Northwave recommends installing the patch immediately. There are no other known mitigation available at the moment.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://support.citrix.com/article/CTX277457

[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2020-0639 (Dutch)

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.