==================================================================== CERT-Renater Note d'Information No. 2020/VULN679 _____________________________________________________________________ DATE : 10/12/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Android running Citrix Secure Mail versions prior to 20.11.0. ===================================================================== https://support.citrix.com/article/CTX286763 _____________________________________________________________________ CTX286763 Citrix Secure Mail for Android Security Update Security Bulletin | High | Created: 08 Dec 2020 | Modified: 08 Dec 2020 Description of Problem Vulnerabilities have been discovered in Citrix Secure Mail for Android that could allow unauthorised access to data within Citrix Secure Mail. These vulnerabilities have the following identifiers: CVE ID Description Vulnerability Type Pre-conditions CVE-2020-8274 Unauthenticated access to read data stored within Secure Mail CWE-94: Improper Control of Generation of Code ('Code Injection') A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device CVE-2020-8275 Unauthenticated access to read limited calendar related data stored within Secure Mail CWE-284: Improper Access Control A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device The following versions of Citrix Secure Mail are affected by these issues: Citrix Secure Mail for Android before 20.11.0 Citrix Secure Mail for iOS is unaffected by these vulnerabilities. Mitigating Factors Customers who have enabled automatic updates on their device will be automatically updated to a fixed version of Citrix Secure Mail. What Customers Should Do The issues have been addressed in the following versions of Citrix Secure Mail: Citrix Secure Mail for Android 20.11.0 and later Customers are recommended to ensure that users of Secure Mail for Android have updated to the latest version using the Google Play Store as soon as possible. Acknowledgements Citrix would like to thank Julien Thomas of Protektoid project for working with us to protect Citrix customers. What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – https://www.citrix.com/about/trust-center/vulnerability-process.html Disclaimer This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Changelog Date Change 2020-12-08 Initial Publication ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================