Citrix Secure Mail for Android Security Update

Description of Problem

Vulnerabilities have been discovered in Citrix Secure Mail for Android that could allow unauthorised access to data within Citrix Secure Mail.

These vulnerabilities have the following identifiers:

CVE ID

|

Description

|

Vulnerability Type

|

Pre-conditions

—|—|—|—

CVE-2020-8274

|

Unauthenticated access to read data stored within Secure Mail

|

CWE-94: Improper Control of Generation of Code (‘Code Injection’)

|

A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device

CVE-2020-8275

|

Unauthenticated access to read limited calendar related data stored within Secure Mail

|

CWE-284: Improper Access Control

|

A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device

The following versions of Citrix Secure Mail are affected by these issues:

• Citrix Secure Mail for Android before 20.11.0

Citrix Secure Mail for iOS is unaffected by these vulnerabilities.

Mitigating Factors

Customers who have enabled automatic updates on their device will be automatically updated to a fixed version of Citrix Secure Mail.

What Customers Should Do

The issues have been addressed in the following versions of Citrix Secure Mail:

• Citrix Secure Mail for Android 20.11.0 and later

Customers are recommended to ensure that users of Secure Mail for Android have updated to the latest version using the Google Play Store as soon as possible.

Acknowledgements

Citrix would like to thank Julien Thomas of Protektoid project for working with us to protect Citrix customers.

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <http://support.citrix.com/&gt;.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <https://www.citrix.com/support/open-a-support-case.html&gt;.

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – <https://www.citrix.com/about/trust-center/vulnerability-process.html&gt;

Disclaimer

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.

Changelog

Date	Change
2020-12-08	Initial Publication