IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Citrix patches XenMobile vulnerability

Positive Technologies spots serious flaw in Citrix XenMobile

Citrix has issued a patch for XenMobile, after a security researcher at Positive Technologies spotted a vulnerability in the enterprise mobility management system.

According to researcher Andrey Medov, the flaw in the server component could let attackers read files, including configuration files and encryption keys.

"Exploitation of this vulnerability allows hackers to obtain information that can be useful for breaching the perimeter, as the configuration file often stores domain account credentials for LDAP access," explained Medov, referring to lightweight directory access protocol, servers that are mainly used for central storage of accounts.

"With access to the domain account, a remote attacker can use the obtained data for authentication on other external company resources, including corporate mail, VPN, and web applications."

Medov adds: "Worse still, an attacker who has managed to read the configuration file can access sensitive data, such as database passwords — local PostgreSQL by default and a remote SQL Server database in some cases."

There's no reason to panic, though, as victims would need to follow a malicious link first and the attacker would need some physical access. "However, taking into account that the database is stored inside the corporate perimeter and cannot be accessed from the outside, this attack vector can only be used in complex attacks, for example, with the involvement of an insider accomplice," Medov explained.

The vulnerability is in versions 10.8 to 10.12 of Citrix XenMobile, also called Citrix Endpoint Management, but not in the cloud versions of the system. If your system is at risk, the company is urging users to update their software. The level of risk depends on the version, with Citrix advising some to update immediately, while advising others they can update as part of their regular patching schedule.

The patch addresses the flaw spotted by Medov as well as a handful of related vulnerabilities reported by Glyn Wintle of Tradecraft and Kristian Bremberg of Detectify, Citrix said.

Last year, Positive Technologies spotted a critical vulnerability in Citrix software that affected 80,000 companies, but a survey six weeks later revealed one in five of those companies still hadn't patched the flaw.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Citrix appoints 30-year tech vet Bob Calderoni as interim CEO
Careers & training

Citrix appoints 30-year tech vet Bob Calderoni as interim CEO

7 Oct 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022