Unauthorized Command Execution in Citrix Xen Mobile by Low-Privileged Users
CVE-2018-18014

7.8HIGH

Key Information:

Vendor: Citrix
Status: Xenmobile Server
Vendor: CVE Published:; 24 October 2018

Summary

Citrix Xen Mobile 10.8 has a security flaw that allows low-privileged local users to execute system commands as root. This can be done by making requests to private services operating on ports 8000, 30000, and 30001 without proper authentication, thus threatening the integrity of the system. While the vendor asserts that the risk is mitigated by an internal firewall restricting access to configuration services, this vulnerability highlights potential security concerns regarding local access and command execution.

References

https://advisories.dxw.com/advisories/xen-mobile-backing-...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 24, 2018
Vulnerability Reserved
Oct 5, 2018