Lack of authentication in Citrix Xen Mobile 10.6 through 10.8 allows low-privileged local users to execute system commands as root


Last revised:

Users who can make network requests from localhost can run commands as root including creating new unix users and changing passwords. Theses users can also login with high privileges on the web interface.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 7.2 High
Vector Local
Complexity Low
Authentication None
Confidentiality Complete
Integrity Complete
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

On the Xen Mobile server there is a Tomcat server running as root on ports 8000, 30000 and 30001. These ports are only available within the local machine. It is part of the Xen Mobile application, it appears to be a backing service used by the application to run privileged commands on the system.

While there is authentication around this service, it is not enforced if requests are made from localhost. As described in other findings, there are several vulnerabilities that allow an unauthenticated user to make requests from the Xen Mobile server (ie, localhost).  

This Tomcat server allows callers to execute a variety of commands that should not be available to unauthenticated users. For example:

  • Change the administrator password (/admin_user/cli/reset_password)
  • Create a new administrator (/admin_user/ui/create1)
  • Decrypting passwords (/sftu/crypto/dec)
  • Dropping firewall rules (/firewall/iptables_stop)

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Citrix report that they do not consider this issue to be a vulnerability

Mitigation/further actions

Citrix have acknowledged this issue but have not addressed it on the basis that it is already mitigated:

[This issue is] already mitigated by the internal firewall that limits access to configuration services to localhost.  Because these are already mitigated, we did not list them in the Citrix security bulletin.

We acknowledge that the firewall does prevent this issue from being exploited externally. However the issue nonetheless exists, making the service vulnerable to local attack, and potentially to remote attack in the case that another vulnerability is found that allows the firewall to be circumvented.

As such, we still consider the issue relevant.