Xen Mobile contains open redirect vulnerabilities

Vulnerability

Last revised: March 26, 2018

Xen Mobile contains open redirect vulnerabilities. This is a class of vulnerability where a service will redirect a user to a location controlled by an attacker.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5 Medium
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	None
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Xen Mobile contains open redirect vulnerabilities. This is a class of vulnerability where a service will redirect a user to a location controlled by an attacker.

These vulnerabilities allow users to be tricked into thinking they are visiting the site when in fact they are visiting a location controlled by the attacker.

https://target/zdm/dynamictp/dynamicredirect.jsp?target=http://www.evilwebsite.com
https://target/aw/saml/signin/test?RelayState=http://www.evilwebsite.com

These vulnerabilities are used by attackers to steal credentials from users in phishing attacks, by sending them to a genuine URL that then forwards the user to an similar-looking untrustworthy location.

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed

Mitigation/further actions

Block these URLs or add filtering to limit the target and RelayState values to locations known to be safe
Consider adding monitoring to detect if these URLs are called with unexpected values
Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
Install an update rectifying this issue as soon as one is available

dxw advisories

Advisory: