Description of Problem
Vulnerabilities have been discovered in Citrix Endpoint Management (XenMobile Server), which, collectively, may allow a XenMobile console user with either an admin role or a custom role that has ‘Create Support Bundles’ enabled, to gain root access to the underlying OS.
CVE-ID |
Description |
CWE |
Pre-conditions |
CVE-2021-44519
|
Unauthorized access to the underlying OS |
CWE-284: Improper Access Control |
A XenMobile console user must have either an admin role or a custom role that has ‘Create Support Bundles’ enabled. These permissions can only be assigned by an admin user. |
CVE-2021-44520
|
Unauthorized root access to the underlying OS
|
CWE-284: Improper Access Control
|
Access to the underlying OS
|
CVE-2022-26151
|
Unauthorized root access to the underlying OS |
CWE-20: Improper Input Validation
|
Admin access to XenMobile Server CLI |
The issues affect the following supported versions of Citrix Endpoint Management (XenMobile Server)
CVE-2021-44519, CVE-2021-44520 - Medium severity:
-
XenMobile Server 10.14.0 before rolling patch 4
-
XenMobile Server 10.13.0 before rolling patch 7
CVE-2022-26151 - Low severity:
-
XenMobile Server 10.14.0 before rolling patch 5
-
XenMobile Server 10.13.0 before rolling patch 8
What Customers Should Do
The issues have been addressed in the following supported versions of Citrix Endpoint Management (XenMobile Server)
CVE-2021-44519, CVE-2021-44520 – Medium severity:
-
XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0
-
XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0
CVE-2022-26151 – Low severity:
-
XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0
-
XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0
Citrix recommends that affected customers upgrade to a fixed version as soon as their patching schedule allows.
The latest versions of Citrix XenMobile Server can be downloaded from the following location:
Acknowledgements
What Citrix is Doing
Obtaining Support on This Issue
Subscribe to Receive Alerts
Reporting Security Vulnerabilities to Citrix
Disclaimer
Changelog
Date | Change |
2022-04-12 | Initial Publication |