CVE-2018-18014

Name of the Vulnerable Software and Affected Versions Citrix Xen Mobile versions through 10.8

Description The issue allows low-privileged local users to execute system commands as root by making requests to private services listening on ports 8000, 30000, and 30001. The vendor disputes that this is an issue, stating it is already mitigated by the internal firewall that limits access to configuration services to localhost.

Recommendations For Citrix Xen Mobile versions through 10.8, consider restricting access to the private services listening on ports 8000, 30000, and 30001 to minimize the risk of exploitation. As a temporary workaround, limit the ability of low-privileged local users to make requests to these services until a more definitive resolution is available. At the moment, there is no information about a newer version that contains a fix for this issue.