Citrix warns of patch-ASAP-grade bugs in its working-from-home products, just as we're all working from home

Expect Citrix Endpoint Management gear to come under attack soon

4 Reg comments Got Tips?

With the world+dog releasing patches today, Citrix has another serious security situation it needs users’ help to smother.

This time the problem is in the Citrix Endpoint Management (formerly known as XenMobile Server), the product Citrix suggests as an ideal way to securely manage devices and “let employees work how, when and where they want.”

The software maker today issued a security update and explainer that don’t detail the bugs in any depth, but do urge immediate upgrades.

“While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” the paperwork stated.

Citrix

We told you remote working is quite good, says Citrix as its numbers head higher

READ MORE

The situation is sufficiently serious that Citrix gave advance notice of the bugs to “a number of major CERTs around the world.” But it’s not explained just what the bugs entail, offering only a list of CVE numbers (2020-8208 through 8212), and hasn’t said which of the five are critical.

What we do know is that the bugs are rated critical in the following four releases:

  • XenMobile Server 10.12 before RP2
  • XenMobile Server 10.11 before RP4
  • XenMobile Server 10.10 before RP6
  • XenMobile Server before 10.9 RP5

Citrix’s advice for the abovementioned product is a strong recommendation to update immediately. There are also medium-and-low-grade bugs with a patch-as-soon-as-convenient rating, impacting the following:

  • XenMobile Server 10.12 before RP3
  • XenMobile Server 10.11 before RP6
  • XenMobile Server 10.10 before RP6
  • XenMobile Server before 10.9 RP5

Matters are a little complicated for Citrix cloud customers, as while the biz has patched its own operations, those running in hybrid mode need to sort themselves out on-prem.

No critical bug is welcome, though Citrix can ill-afford this incident thanks to past security incidents such as its massive data leak in March 2019; the Christmas 2019 Netscaler bug, which was widely exploited and rather nasty; and June 2020 Workspace vulnerability. The company is clearly now sensitive to its missteps, as shown by its recent and unusual decision to preemptively deny rumors suggesting a compromise of its internal networks.

While the paragraph above details quite a rap sheet, the software house continues to rack up impressive financial performance, and says its customers are committed for the long-haul. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020