====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN116

_____________________________________________________________________

DATE                : 30/04/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix XenMobile Server versions
                                      10.9.0, 10.8.0.

=====================================================================
https://support.citrix.com/article/CTX247736
_____________________________________________________________________

Authentication Bypass vulnerability in XenMobile Server

Reference: CTX247736

Category : Critical

Created  : 26 Apr 2019

Modified : 26 Apr 2019

Applicable Products

  o XenMobile
  o XenMobile 10.8


Description of Problem

A vulnerability has been identified in Citrix XenMobile Server that
could permit an attacker to impersonate and take actions on behalf of
any Mobile Device Management (MDM) enrolled device.

The vulnerability has been assigned the following CVE number:

o CVE-2018-18571: Authentication Bypass Vulnerability in Citrix
XenMobile Server.

This vulnerability affects the following products:

o Citrix XenMobile Server 10.9.0 before Rolling Patch 3.

o Citrix XenMobile Server 10.8.0 before Rolling Patch 6.


What Customers Should Do

Citrix recommends customers running Citrix XenMobile Server 10.9.0
upgrade to Rolling Patch 3 found at
https://support.citrix.com/article/CTX249985 and Citrix XenMobile Server
10.8.0 upgrade to Rolling Patch 6 found at
https://support.citrix.com/article/CTX250711 .

Also, a newer version of Citrix XenMobile Server is now available:
Citrix XenMobile Server version 10.10.0.7

Citrix strongly recommends that affected customers upgrade their
XenMobile Servers to the new version. This new version can be obtained
from the following location:

Citrix Product Downloads: https://www.citrix.com/downloads/
citrix-endpoint-management/ .

These issues have already been addressed in the Citrix Cloud service.

Windows device users who have upgraded to Citrix Endpoint Management
19.3.1, please reference the following article and recreate your Store
device policy:
https://support.citrix.com/article/CTX249857 .


Acknowledgements

Citrix thanks Jonas of Danske Bank for working with us to protect Citrix
customers.


Changelog

+----------------------------------+------------------------------------------+
|Date                              |Change
      |
+----------------------------------+------------------------------------------+
|26th April 2019                   |Initial Publication
      |
+----------------------------------+------------------------------------------+

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================