Citrix Endpoint Management (XenMobile Server) Security Bulletin

Issue

Vulnerabilities have been discovered in Citrix Endpoint Management (XenMobile Server), which, collectively, may allow a XenMobile console user with either an admin role or a custom role that has ‘Create Support Bundles’ enabled, to gain root access to the underlying OS. 
To review all 4 Citrix vulnerabilities announced on April 12th, please read our digest.

Affected versions

The issues affect the following supported versions of Citrix Endpoint Management (XenMobile Server):

CVE-2021-44519, CVE-2021-44520 – Medium severity:

• XenMobile Server 10.14.0 before rolling patch 4
• XenMobile Server 10.13.0 before rolling patch 7

CVE-2022-26151 – Low severity:

• XenMobile Server 10.14.0 before rolling patch 5
• XenMobile Server 10.13.0 before rolling patch 8

Recommended Action

The issues have been addressed in the following supported versions of Citrix Endpoint Management (XenMobile Server):

CVE-2021-44519, CVE-2021-44520 – Medium severity:

• XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0
• XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0

CVE-2022-26151 – Low severity:

• XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0
• XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0

Citrix recommends that affected customers upgrade to a fixed version as soon as their patching schedule allows.

The latest versions of Citrix XenMobile Server can be downloaded from https://www.citrix.com/downloads/citrix-endpoint-management/product-software/xenmobile-10-server.html

More Information

https://support.citrix.com/article/CTX370551

For assistance from the Kraft Kennedy team, please contact us.