Bugs in Citrix SD-WAN Allow Remote Code Execution

Author: Melodie Foster

Date: 18th November 2020

The flaws found in the Citrix software-defined (SD)-WAN platform (CVE-2020-8271, CVE-2020–8272 and CVE-2020–8273) affect versions before 11.2.2, 11.1.2b and 10.2.8. The first flaw (CVE 2020-8271) is an unauthenticated path traversal and shell injection problem in stop_ping. The second flaw (CVE-2020–8272) is a ConfigEditor authentication bypass and the final flaw (CVE-2020-8273) is a CreateAzureDeployment shell injection issue.

The first two flaws require an attacker to be able to communicate with SD-WAN Center’s Management IP address or fully qualified domain name. The last flaw requires an attacker to be authenticated.

According to Citrix, the first vulnerability allows unauthenticated remote code execution with root privileges in Citrix SD-WAN Center. This is because “the /collector/diagnostics/stop_ping endpoint reads the file /tmp/pid_. $req_id and uses its contents in a shell_exec call. No sanitization is performed on the user supplied $req_id which allows path traversal. One can drop a file with user-controlled content anywhere (for example, using /collector/licensing/upload) and run an arbitrary shell command.” Wrote a Realmode researcher, whose report provided more detail about the flaws.

The second vulnerability can result in unauthenticated exposure of SD-WAN functionality because of how CakePHP translates the URI endpoint function parameters. “If our REQUEST_URI contains ? after a :// the beginning of the URI will be removed. This will cause a discrepancy between how Apache sees the URI and how CakePHP analyzes it, which in turn allows us to bypass the client certificate check for the Collector endpoint.” According to the Realmode report.

The third vulnerability is user-supplied data that is being JSON encoded and concatenated to an exec call.

Last week Realmode disclosed three remote code-execution security bugs in the Silver Peak Unity Orchestrator for SD-WAN. Furthermore, the Realmode team disclosed they had found similar flaws in two other SD-WAN platforms which have now been patched.[1]

[1] https://threatpost.com/citrix-sd-wan-bugs-remote-code-execution/161274/

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

Bugs in Citrix SD-WAN Allow Remote Code Execution

Author: Melodie Foster

Date: 18th November 2020

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta