Positive Technologies expert Andrey Medov has discovered a vulnerability in Citrix XenMobile enterprise mobility management solution. When following a specially crafted URL, attackers could read arbitrary files outside the web server root directory, including configuration files and encryption keys for sensitive data. To exploit the vulnerability, no authorization was needed.
The vulnerability discovered in the Citrix XenMobile Server component was assigned the identifier CVE-2020-8209. The flaw is related to Path Traversal and is a result of insufficient input validation.
Positive Technologies expert Andrey Medov explained: "Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access¹. With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications. Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database password (local PostgreSQL by default and a remote SQL Server database in some cases). However, taking into account that the database is stored inside the corporate perimeter and cannot be accessed from the outside, this attack vector can only be used in complex attacks, for example, with the involvement of an insider accomplice."
The vulnerability affects Citrix XenMobile versions from 10.8 to 10.12. Citrix has released an updated product version and is urging users to install it as soon as possible.
- LDAP servers are mainly used for centralized storage of accounts.