Security researchers have discovered critical vulnerabilities in Citrix SD-WAN appliance and management console. Hackers could remotely exploit the vulnerabilities without authentication and gain root access.
Citrix SD-WAN technology increases the performance and reliability of enterprise applications, SaaS applications and virtual desktops over any network while simplifying branch networks.
Tenable security experts reported the vulnerabilities to Citrix on May 23. Citrix later confirmed the bugs on June 4 and then released a patch on July 3 2019.
In total, Tenable discovered two issues in SD-WAN appliances – an unauthenticated SQL Injection vulnerability CVE-2019-12989 and Authenticated Command Injection vulnerability CVE-2019-12991.
SQL Injection issue
Tenable described one SQL injection issue in recent research post:
“The cgi-bin/sdwanrestapi/getpackagefile.cgi Perl script contains a SQL injection vulnerability that can be exploited by a remote, unauthenticated attacker. Input validation is not applied before incorporating user input in a SQL query.”
To add, an attacker could exploit this vulnerability with a crafted HTTP request, then write files to directories by the ‘mysql’ user. All while bypassing authentication.
Command Injection issue
For the second issue, a command injection vulnerability impacts Installpatch.cgi.
“This vulnerability can be exploited by a remote, authenticated attacker to execute OS commands with root privileges. Specifically, the ‘installfile’ parameter value is not validated prior to using it in a call to the Perl system() function,” Tenable added.
Citrix released a security advisory on July 10 and acknowledged the previously mentioned and six other vulnerabilities in the management console of the Citrix SD-WAN Center and NetScaler SD-WAN Center.
The advisory include the following fixed vulnerabilities (along with impacted product versions):
- CVE-2019-12985 – Unauthenticated Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8.
- CVE-2019-12986 – Unauthenticated Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8.
- CVE-2019-12987 – Unauthenticated Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8.
- CVE-2019-12988 – Unauthenticated Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8.
- CVE-2019-12990 – Unauthenticated Directory Traversal File Write in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8.
- CVE-2019-12992 – Authenticated Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8.
Software mitigations
Citrix recommends customers address the vulnerabilities by upgrading to the following software versions of SD-WAN Center management console and appliances:
- NetScaler SD-WAN Center 10.0.8 and NetScaler SD-WAN 10.0.8 Appliance
- Citrix SD-WAN Center 10.2.3 and Citrix SD-WAN 10.2.3 Appliance.
Citrix also provided NetScaler SD-WAN best practices, to include physical security, appliance security, network security and administration and management.