Andrey Medov, a penetration tester at Positive Technologies recently published an article on a Path traversal vulnerability (CVE-2020-8209) in Citrix Endpoint Management (CEM), often referred to as XenMobile Server. The vulnerability was first discovered by him and Citrix pre-notified customers on July 23^rd.

The vulnerability affects the following XenMobile Server versions:

·    10.12 before RP2

·    10.11 before RP4

·    10.10 before RP6

·    versions before 10.9 RP5

The vulnerability found within help-sb-download.jsp file allows an unauthorized user to read arbitrary files, including configuration files containing passwords.

Mitigation with BIG-IP Advanced WAF

A malicious request targeting this CVE will resemble the requests in Figure 1.

Figure 1 Malicious requests targeting this CVE

Advanced WAF customers under any supported BIG-IP version are already protected against this vulnerability. An exploitation attempt will be detected by many existing attack signatures for directory traversal attempt.

Figure 2 Exploit request detected by various Directory traversal signatures