CVE-2019-13608 - XML External Entity (XXE) Processing Vulnerability in Citrix StoreFront Server

An XML External Entity (XXE) processing vulnerability has been identified in Citrix StoreFront Server that could allow an unauthenticated attacker to retrieve potentially sensitive information from the server.

This vulnerability has been assigned the following CVE number:

• CVE-2019-13608: XML External Entity (XXE) Processing Vulnerability in Citrix StoreFront Server.

This vulnerability affects the following Citrix StoreFront Server versions:

• Citrix StoreFront Server  earlier than 1903

• Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000)

• Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)

Considerations for StoreFront front ended by NetScaler as documented here: https://docs.citrix.com/en-us/netscaler-gateway/12/integrate-with-storefront.html

In configurations with the NetScaler Gateway integration a client that is outside the trusted network must authenticate in order to able to execute the attack against Storefront.This configuration makes this an authenticated attack, rather than an unauthenticated one, adding an additional layer of defense.

Clients within the trusted network will be able to execute the attack against the StoreFront as documented.

The XXE vulnerability has been addressed in the following Citrix StoreFront Server versions:

• StoreFront 1903

• StoreFront 7.15 LTSR CU4 (3.12.4000)

• StoreFront 7.6 LTSR CU8 (3.0.8000)

Citrix strongly recommends that customers upgrade their Citrix StoreFront Server deployments to one of these versions or newer. These updates can be obtained from the following location:

https://www.citrix.com/downloads/storefront/

Citrix thanks Vahagn Vardanyan for working with us to protect Citrix customers.