Author: Melodie Foster
Date: 18th November 2020
The flaws found in the Citrix software-defined (SD)-WAN platform (CVE-2020-8271, CVE-2020–8272 and CVE-2020–8273) affect versions before 11.2.2, 11.1.2b and 10.2.8. The first flaw (CVE 2020-8271) is an unauthenticated path traversal and shell injection problem in stop_ping. The second flaw (CVE-2020–8272) is a ConfigEditor authentication bypass and the final flaw (CVE-2020-8273) is a CreateAzureDeployment shell injection issue.
The first two flaws require an attacker to be able to communicate with SD-WAN Center’s Management IP address or fully qualified domain name. The last flaw requires an attacker to be authenticated.
According to Citrix, the first vulnerability allows unauthenticated remote code execution with root privileges in Citrix SD-WAN Center. This is because “the /collector/diagnostics/stop_ping endpoint reads the file /tmp/pid_. $req_id and uses its contents in a shell_exec call. No sanitization is performed on the user supplied $req_id which allows path traversal. One can drop a file with user-controlled content anywhere (for example, using /collector/licensing/upload) and run an arbitrary shell command.” Wrote a Realmode researcher, whose report provided more detail about the flaws.
The second vulnerability can result in unauthenticated exposure of SD-WAN functionality because of how CakePHP translates the URI endpoint function parameters. “If our REQUEST_URI contains ? after a :// the beginning of the URI will be removed. This will cause a discrepancy between how Apache sees the URI and how CakePHP analyzes it, which in turn allows us to bypass the client certificate check for the Collector endpoint.” According to the Realmode report.
The third vulnerability is user-supplied data that is being JSON encoded and concatenated to an exec call.
Last week Realmode disclosed three remote code-execution security bugs in the Silver Peak Unity Orchestrator for SD-WAN. Furthermore, the Realmode team disclosed they had found similar flaws in two other SD-WAN platforms which have now been patched.[1]
[1] https://threatpost.com/citrix-sd-wan-bugs-remote-code-execution/161274/
Other resources

Cyberfort Colocation Services
Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?
Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives
Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >
Recent Comments