Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed
banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX370551 {{tooltipText}}

Citrix Endpoint Management (XenMobile Server) Security Bulletin for CVE-2021-44519, CVE-2021-44520, and CVE-2022-26151

Security Bulletin | Severity: Medium | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
download Why can't I download this file? Log in to Verify Download Permissions

Applicable Products

  • XenMobile

Description of Problem

Vulnerabilities have been discovered in Citrix Endpoint Management (XenMobile Server), which, collectively, may allow a XenMobile console user with either an admin role or a custom role that has ‘Create Support Bundles’ enabled, to gain root access to the underlying OS. 

 

CVE-ID  

Description  

CWE  

Pre-conditions 

CVE-2021-44519 

 

 

Unauthorized access to the underlying OS 

CWE-284: Improper Access Control 

A XenMobile console user must have either an admin role or a custom role that has ‘Create Support Bundles’ enabled. These permissions can only be assigned by an admin user. 

CVE-2021-44520 

 

Unauthorized root access to the  underlying OS 

 

CWE-284: Improper Access Control 

 

Access to the underlying OS   

 

CVE-2022-26151 

 

 

Unauthorized root access to the underlying OS 

CWE-20: Improper Input Validation 

 

Admin access to XenMobile Server CLI  

 

The issues affect the following supported versions of Citrix Endpoint Management (XenMobile Server) 

CVE-2021-44519, CVE-2021-44520 - Medium severity: 

  • XenMobile Server 10.14.0 before rolling patch 4 

  • XenMobile Server 10.13.0 before rolling patch 7 

 

CVE-2022-26151 - Low severity: 

  • XenMobile Server 10.14.0 before rolling patch 5 

  • XenMobile Server 10.13.0 before rolling patch 8 

What Customers Should Do

The issues have been addressed in the following supported versions of Citrix Endpoint Management (XenMobile Server) 

CVE-2021-44519, CVE-2021-44520 – Medium severity: 

  • XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0 

  • XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0 

 

CVE-2022-26151 – Low severity: 

  • XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0 

  • XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0 

 

Citrix recommends that affected customers upgrade to a fixed version as soon as their patching schedule allows. 

The latest versions of Citrix XenMobile Server can be downloaded from the following location: 

https://www.citrix.com/downloads/citrix-endpoint-management/product-software/xenmobile-10-server.html  

Acknowledgements

Citrix thanks Chiu TsungShu and Sheng-Fu Chang of CHT Security for working with us to protect Citrix customers.

What Citrix is Doing

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

Subscribe to Receive Alerts

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

Changelog

Date Change
2022-04-12 Initial Publication
Page feedback
Name is required
Cancel Submit

Featured Products

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}

View support numbers
Share this page