Citrix SD-WAN Bugs Allow Remote Code Execution

  • The bugs tracked as CVE-2020–8271, CVE-2020–8272 and CVE-2020–8273 exist in the Citrix SD-WAN Center.

    3 security bugs in the Citrix software package-outlined (SD)-WAN platform would make it possible for distant code-execution and network takeover, in accordance to scientists.

    The flaws influence the Citrix SD-WAN Heart (in versions just before 11.2.2, 11.1.2b and 10.2.8). They consist of an unauthenticated path traversal and shell injection dilemma in stop_ping (CVE-2020–8271) a ConfigEditor authentication bypass (CVE-2020–8272) and a CreateAzureDeployment shell injection issue (CVE-2020–8273). Severity scores have not still been issued.

    In the initial two scenarios, an attacker need to be ready to communicate with SD-WAN Center’s Administration IP address or completely certified domain identify (FQDN), in accordance to Citrix’s advisory, issued past 7 days. For the 3rd, an attacker would want to be authenticated.

    The first vulnerability allows unauthenticated RCE with root privileges in Citrix SD-WAN Center, according to Citrix. A writeup from Realmode Labs on Monday went into much more depth on where it exists.

    For CVE-2020–8271, “the /collector/diagnostics/stop_ping endpoint reads the file /tmp/pid_,” according to Realmode researcher Ariel Tempelhof. “$req_id and takes advantage of its contents in a shell_exec call. No sanitization is carried out on the user equipped $req_id which allows path traversal. Just one can drop a file with person-managed content anyplace (for example, applying /collector/licensing/add) and run an arbitrary shell command.”

    The next bug has to do with how CakePHP translates the URI to endpoint function parameters. It can outcome in unauthenticated exposure of SD-WAN performance.

    The Citrix SD-WAN infrastructure operates on Apache with CakePHP2 as the framework. Scientists at Realmode found a gap in the way the CakePHP2 framework handles URLs. For that, Citrix works by using the operate “_url in CakeRequest.php”.

    “If our Request_URI consists of ? after a :// the starting of the URI will be removed,” in accordance to Tempelhof, in a Monday posting. “This will bring about a discrepancy among how Apache sees the URI and how CakePHP analyzes it, which in transform permits us to bypass the shopper certificate check out for the Collector endpoint.”

    For occasion, a URI of the form “aaaaaaaaaaaaaaaaa/://?/collector/diagnostics/prevent_ping” will translate to /collector/diagnostics/end_ping and call for neither client certification nor authentication, he reported. This enables an unauthenticated attacker to accessibility the ConfigEditor operation.

    As for the third bug, consumer-provided details is getting JSON encoded and concatenated to an exec get in touch with employing the code, Tempelhof said.

    “In protection of Citrix we’ll confess that it’s really hard to anticipate that CakePHP would take care of URLs the way that it does,” Tempelhof said. “That’s why accomplishing committed security audits on your goods is so essential.”

    Final week, Realmode disclosed three distant code-execution security bugs in the Silver Peak Unity Orchestrator for SD-WAN. They can be chained with each other to allow for network takeover by unauthenticated attackers.

    Tempelhof claimed that his staff identified identical flaws in two more SD-WAN platforms (all now patched), which will be disclosed before long.

    SD-WAN is a cloud-dependent networking technique used by enterprises and multilocation firms of all sizes. It lets destinations and cloud occasions to be linked to every other and to company means over any style of connectivity, and applies software package handle to handling that procedure, which include the orchestration of sources and nodes.

    It is a increasing market place phase, and as these kinds of is of fascination to cybercriminals. Regretably, major SD-WAN vendors have experienced issues in the previous.

    For instance, in March, Cisco Systems fixed 3 superior-severity vulnerabilities that could permit local, authenticated attackers to execute commands with root privileges. A very similar bug was found a month afterwards in Cisco’s IOS XE, a Linux-dependent version of Cisco’s Internetworking Working Procedure (IOS) employed in SD-WAN deployments.

    And very last December, a critical zero-working day bug was found in various versions of its Citrix Application Shipping Controller (ADC) and Citrix Gateway solutions that allowed equipment takeover and RCE, made use of in SD-WAN implementations. In-the-wild assaults and public exploits swiftly piled up soon after it was announced.

    Hackers Place Bullseye on Health care: On Nov. 18 at 2 p.m. EDT find out why hospitals are receiving hammered by ransomware assaults in 2020. Save your location for this Free webinar on health care cybersecurity priorities and hear from leading security voices on how details security, ransomware and patching want to be a precedence for each individual sector, and why. Be a part of us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.