Citrix Secure Mail for Android Security Update
Article ID: CTX286763
Updated On:
Description
Description of Problem
Vulnerabilities have been discovered in Citrix Secure Mail for Android that could allow unauthorised access to data within Citrix Secure Mail.
These vulnerabilities have the following identifiers:
|
CVE ID |
Description |
Vulnerability Type |
Pre-conditions |
|
CVE-2020-8274 |
Unauthenticated access to read data stored within Secure Mail |
CWE-94: Improper Control of Generation of Code ('Code Injection') |
A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device |
|
CVE-2020-8275 |
Unauthenticated access to read limited calendar related data stored within Secure Mail |
CWE-284: Improper Access Control |
A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device |
The following versions of Citrix Secure Mail are affected by these issues:
-
Citrix Secure Mail for Android before 20.11.0
Citrix Secure Mail for iOS is unaffected by these vulnerabilities.
Mitigating Factors
Customers who have enabled automatic updates on their device will be automatically updated to a fixed version of Citrix Secure Mail.
What Customers Should Do
The issues have been addressed in the following versions of Citrix Secure Mail:
-
Citrix Secure Mail for Android 20.11.0 and later
Customers are recommended to ensure that users of Secure Mail for Android have updated to the latest version using the Google Play Store as soon as possible.
Acknowledgements
Citrix would like to thank Julien Thomas of Protektoid project for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – https://www.citrix.com/about/trust-center/vulnerability-process.html
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.
Changelog
| Date | Change |
| 2020-12-08 | Initial Publication |
