Issue
Vulnerabilities have been discovered in Citrix Endpoint Management (XenMobile Server), which, collectively, may allow a XenMobile console user with either an admin role or a custom role that has ‘Create Support Bundles’ enabled, to gain root access to the underlying OS.
To review all 4 Citrix vulnerabilities announced on April 12th, please read our digest.
CVD-ID | Description | CWE | Affected Products | Pre-Conditions |
CVE-2022-27505 | Reflected cross-site scripting (XSS) | CWE-79: Improper neutralization of input during web page generation (cross-site scripting) | Citrix SD-WAN Standard/Premium Edition Appliance | Victim user must have a current session on the vulnerable device |
CVE-2022-27506 | Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI | CWE-798: Use of hard-coded credentials | Citrix SD-WAN Center Management Console, Citrix SD-WAN Standard/Premium Edition Appliance, and Citrix SD-WAN Orchestrator for On-Premises | Admin access to SD-WAN CLI |
Affected versions
The following supported versions of Citrix SD-WAN are affected by the vulnerabilities
- CVE-2022-27505 – High Severity
- Citrix SD-WAN Standard/Premium Edition Appliance before 11.4.3a
- CVE-2022-27506 – Low Severity
- Citrix SD-WAN Center Management Console versions before 11.4.3
- Citrix SD-WAN Standard/Premium Edition Appliance versions before 11.4.1
- Citrix SD-WAN Orchestrator for On-Premises versions before 13.2.1
Mitigating Factors
CVE-2022-27506: This issue is only exposed to administrators with access to the SD-WAN CLI
Recommended Action
- CVE-2022-27505:
Citrix recommends that affected customers upgrade to a fixed version as soon as possible. This issue has been addressed in the following supported Citrix SD-WAN versions:
-
- Citrix SD-WAN Standard/Premium Edition Appliance versions 11.4.3a and above
- CVE-2022-27506:
Citrix recommends that affected customers upgrade to a fixed version as their patching schedule allows. This issue has been addressed in the following supported Citrix SD-WAN versions:
-
- Citrix SD-WAN Center Management Console versions 11.4.3 and above
- Citrix SD-WAN Standard/Premium Edition Appliance versions 11.4.1 and above
- Citrix SD-WAN Orchestrator for On-Premises versions 13.2.1 and above
More Information