Description of Problem
A number of security vulnerabilities have been identified in Citrix XenMobile Server. The vulnerabilities have been assigned the following CVE numbers.
Affecting XenMobile Server 10.7 and 10.8:
- CVE-2018-10653 (High): XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server
- CVE-2018-10650 (Medium): Insufficient Path Validation Vulnerability in Citrix XenMobile Server
- CVE-2018-10654 (Medium): Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server
- CVE-2018-10648 (Low): Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server
- CVE-2018-10651 (Low): Open Redirect Vulnerabilities in Citrix XenMobile Server
Affecting XenMobile Server 10.7:
- CVE-2018-10649 (Medium): Cross-Site Scripting Vulnerability in Citrix XenMobile Server
- CVE-2018-10652 (Medium): Sensitive Data Leakage in Citrix XenMobile Server
These issues have already been addressed in the Citrix Cloud service.
Mitigating Factors
CVE-2018-10650 (Medium): Insufficient Path Validation Vulnerability in Citrix XenMobile Server
A compromised or malicious XenMobile Server administrator session is required in order to exploit this vulnerability.
CVE-2018-10654 (Medium): Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server
This issue is only exposed if XenMobile Clustering has been enabled.
What Customers Should Do
These vulnerabilities have been addressed with the exception of CVE-2018-10654 in new versions of Citrix XenMobile Server.
Citrix recommends that customers upgrade Citrix XenMobile 10.8 to Rolling Patch 2 found at https://support.citrix.com/article/CTX234866 and Citrix XenMobile 10.7 to Rolling Patch 3 found at https://support.citrix.com/article/CTX234867.
Customers using XenMobile Clustering should mitigate CVE-2018-10654 by ensuring that port 45000 on the XenMobile Server nodes is not reachable from untrustworthy traffic. Port 45000 should only be accessible between XenMobile Server nodes. See https://docs.citrix.com/en-us/xenmobile/server/system-requirements/ports.html.
Acknowledgements
Citrix thanks the following for working with us to protect Citrix customers:
- Glyn Wintle and Harry Metcalfe of DXW Cyber (https://www.dxwcyber.com/)
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix