Users who can make network requests from localhost can run commands as root including creating new unix users and changing passwords. Theses users can also login with high privileges on the web interface.
Current state: Reported
On the Xen Mobile server there is a Tomcat server running as root on ports 8000, 30000 and 30001. These ports are only available within the local machine. It is part of the Xen Mobile application, it appears to be a backing service used by the application to run privileged commands on the system.
While there is authentication around this service, it is not enforced if requests are made from localhost. As described in other findings, there are several vulnerabilities that allow an unauthenticated user to make requests from the Xen Mobile server (ie, localhost).
This Tomcat server allows callers to execute a variety of commands that should not be available to unauthenticated users. For example:
2018-03-28 – Reported to Citrix and acknowledged immediately
2018-05-21 – Citrix report that they do not consider this issue to be a vulnerability
Citrix have acknowledged this issue but have not addressed it on the basis that it is already mitigated:
[This issue is] already mitigated by the internal firewall that limits access to configuration services to localhost. Because these are already mitigated, we did not list them in the Citrix security bulletin.
We acknowledge that the firewall does prevent this issue from being exploited externally. However the issue nonetheless exists, making the service vulnerable to local attack, and potentially to remote attack in the case that another vulnerability is found that allows the firewall to be circumvented.
As such, we still consider the issue relevant.