Bugs in Citrix SD-WAN Allow Remote Code Execution

The flaws found in the Citrix software-defined (SD)-WAN platform (CVE-2020-8271, CVE-2020–8272 and CVE-2020–8273) affect versions before 11.2.2, 11.1.2b and 10.2.8. The first flaw (CVE 2020-8271) is an unauthenticated path traversal and shell injection problem in stop_ping. The second flaw (CVE-2020–8272) is a ConfigEditor authentication bypass and the final flaw (CVE-2020-8273) is a CreateAzureDeployment shell injection issue.

The first two flaws require an attacker to be able to communicate with SD-WAN Center’s Management IP address or fully qualified domain name. The last flaw requires an attacker to be authenticated.

According to Citrix, the first vulnerability allows unauthenticated remote code execution with root privileges in Citrix SD-WAN Center. This is because “the /collector/diagnostics/stop_ping endpoint reads the file /tmp/pid_. $req_id and uses its contents in a shell_exec call. No sanitization is performed on the user supplied $req_id which allows path traversal. One can drop a file with user-controlled content anywhere (for example, using /collector/licensing/upload) and run an arbitrary shell command.” Wrote a Realmode researcher, whose report provided more detail about the flaws.