Recently, a vulnerability (known as “Heartbleed”) was identified in OpenSSL. This is a significant vulnerability as it could allow a remote attacker to extract sensitive data directly from the process address space of a vulnerable client or server.
There is more information on this issue, and the way in which Citrix has responded to it, in the Citrix security advisory: https://support.citrix.com/article/CTX140605
Impact to XenMobile Deployments
A high level reference architecture for XenMobile is shown in the following diagram.
As can be seen from the above diagram, in a typical deployment the Device Manager and App Controller are deployed behind a NetScaler device. As the NetScaler is not vulnerable to Heartbleed attacks this means that the highest risk attack vector, a direct Heartbleed attack on an Internet facing server SSL interface, would not normally be possible.
Our immediate analysis of the XenMobile solution did show that the App Controller was making use of a vulnerable version of OpenSSL. Since this library is used for both inbound and outbound TLS connections there is still a level of associated risk. It is noteworthy that the overall security architecture of the XenMobile solution helps to protect customer deployments even in cases where such a critical vulnerability was found to exist.
Citrix has released a patch for version 2.10 of the App Controller, which removes the vulnerable version of OpenSSL and incorporates a patched version of OpenSSL for all SSL/TLS connections. We are currently working on a patch for 2.9 and will update this post, and the formal Citrix security advisory, as soon as this is available.
We are recommending that customers download and apply this patch as soon as possible; it can be downloaded from the following location:
- XenMobile 8.7: https://www.citrix.com/downloads/xenmobile/product-software/xenmobile-87-enterprise-edition.html
- XenMobile 8.6: https://www.citrix.com/downloads/xenmobile/product-software/xenmobile-86-enterprise-edition.html
XenMobile App Edition: