====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN450
_____________________________________________________________________

DATE                : 14/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix Endpoint Management,
                                      XenMobile Server.

=====================================================================
https://support.citrix.com/article/CTX277457
_____________________________________________________________________

Citrix Endpoint Management (CEM) Security Update

Reference: CTX277457
Category : Critical
Created  : 11 Aug 2020
Modified : 11 Aug 2020

Applicable Products

  o Citrix Endpoint Management
  o XenMobile

Description of Problem

Multiple vulnerabilities have been discovered in Citrix Endpoint
Management (CEM), also referred to as XenMobile.


These vulnerabilities have the following identifiers:

  o CVE-2020-8208
  o CVE-2020-8209
  o CVE-2020-8210
  o CVE-2020-8211
  o CVE-2020-8212

The following versions of Citrix Endpoint Management (CEM) are affected
by critical severity vulnerabilities:

  o XenMobile Server 10.12 before RP2
  o XenMobile Server 10.11 before RP4
  o XenMobile Server 10.10 before RP6
  o XenMobile Server before 10.9 RP5

Customers affected by these critical severity vulnerabilities are
strongly recommended to update their deployments immediately.

Additionally, the following versions of Citrix Endpoint Management
(CEM)are affected by medium and low severity vulnerabilities:

  o XenMobile Server 10.12 before RP3
  o XenMobile Server 10.11 before RP6
  o XenMobile Server 10.10 before RP6
  o XenMobile Server before 10.9 RP5

Customers who are only affected by these medium and low severity
vulnerabilities are recommended to update their deployments as soon as
their patching schedule allows.

Customers using the cloud version of Citrix Endpoint Management are not
affected by these vulnerabilities.


What Customers Should Do

The latest Rolling Patches for Citrix Endpoint Management (CEM) can be
downloaded from the following locations:

  o XenMobile Server 10.12 RP3: https://support.citrix.com/article/CTX277473
  o XenMobile Server 10.11 RP6: https://support.citrix.com/article/CTX277698
  o XenMobile Server 10.10 RP6: https://support.citrix.com/article/CTX279101
  o XenMobile Server 10.9 RP5: https://support.citrix.com/article/CTX279098

Customers should ensure they are running a supported version and then
download and deploy the latest rolling patch to their deployments.


Acknowledgements

Citrixwould like to thank Andrey Medov of Positive Technologies
( https://www.ptsecurity.com ), Glyn Wintle of Tradecraft
( https://www.wearetradecraft.com ) and Kristian Bremberg of Detectify
for working with us to protect Citrix customers.


Changelog

Date            Change
2020-08-11      Initial publication


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================