Citrix XenMobile Server– Path Traversal
Andrey Medov, a penetration tester at Positive Technologies recently published an article on a Path traversal vulnerability (CVE-2020-8209) in Citrix Endpoint Management (CEM), often referred to as XenMobile Server. The vulnerability was first discovered by him and Citrix pre-notified customers on July 23rd.
The vulnerability affects the following XenMobile Server versions:
· 10.12 before RP2
· 10.11 before RP4
· 10.10 before RP6
· versions before 10.9 RP5
The vulnerability found within help-sb-download.jsp file allows an unauthorized user to read arbitrary files, including configuration files containing passwords.
Mitigation with BIG-IP Advanced WAF
A malicious request targeting this CVE will resemble the requests in Figure 1.
Figure 1 Malicious requests targeting this CVE
Advanced WAF customers under any supported BIG-IP version are already protected against this vulnerability. An exploitation attempt will be detected by many existing attack signatures for directory traversal attempt.
Figure 2 Exploit request detected by various Directory traversal signatures