Issue
Vulnerabilities have been discovered in Citrix Endpoint Management (XenMobile Server), which, collectively, may allow a XenMobile console user with either an admin role or a custom role that has ‘Create Support Bundles’ enabled, to gain root access to the underlying OS.
To review all 4 Citrix vulnerabilities announced on April 12th, please read our digest.
CVD-ID | Description | CWE | Pre-Conditions |
CVE-2021-44519 | Unauthorized access to the underlying OS | CWE-284: Improper Access Control | A XenMobile console user must have either an admin role or a custom role that has ‘Create Support Bundles’ enabled. These permissions can only be assigned by an admin user. |
CVE-2021-44520 | Unauthorized root access to the underlying OS | CWE-284: Improper Access Control | Access to the underlying OS |
CVE-2022-26151 | Unauthorized root access to the underlying OS | CWE-20: Improper Input Validation | Admin access to XenMobile CLI |
Affected versions
The issues affect the following supported versions of Citrix Endpoint Management (XenMobile Server):
CVE-2021-44519, CVE-2021-44520 – Medium severity:
- XenMobile Server 10.14.0 before rolling patch 4
- XenMobile Server 10.13.0 before rolling patch 7
CVE-2022-26151 – Low severity:
- XenMobile Server 10.14.0 before rolling patch 5
- XenMobile Server 10.13.0 before rolling patch 8
Recommended Action
The issues have been addressed in the following supported versions of Citrix Endpoint Management (XenMobile Server):
CVE-2021-44519, CVE-2021-44520 – Medium severity:
- XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0
- XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0
CVE-2022-26151 – Low severity:
- XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0
- XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0
Citrix recommends that affected customers upgrade to a fixed version as soon as their patching schedule allows.
The latest versions of Citrix XenMobile Server can be downloaded from https://www.citrix.com/downloads/citrix-endpoint-management/product-software/xenmobile-10-server.html
More Information
https://support.citrix.com/article/CTX370551
For assistance from the Kraft Kennedy team, please contact us.