Three security bugs in the Citrix software-defined (SD)-WAN platform would allow remote code-execution and network takeover, according to researchers.
The flaws affect the Citrix SD-WAN Center (in versions before 11.2.2, 11.1.2b and 10.2.8). They consist of an unauthenticated path traversal and shell injection problem in stop_ping (CVE-2020–8271); a ConfigEditor authentication bypass (CVE-2020–8272); and a CreateAzureDeployment shell injection issue (CVE-2020–8273). Severity scores have not yet been issued.
In the first two cases, an attacker must be able to communicate with SD-WAN Center’s Management IP address or fully qualified domain name (FQDN), according to Citrix’s advisory, issued last week. For the third, an attacker would need to be authenticated.
The first vulnerability allows unauthenticated RCE with root privileges in Citrix SD-WAN Center, according to Citrix. A writeup from Realmode Labs on Monday went into more detail on where it exists.
For CVE-2020–8271, “the /collector/diagnostics/stop_ping endpoint reads the file /tmp/pid_,” according to Realmode researcher Ariel Tempelhof. “$req_id and uses its contents in a shell_exec call. No sanitization is performed on the user supplied $req_id which allows path traversal. One can drop a file with user-controlled content anywhere (for example, using /collector/licensing/upload) and run an arbitrary shell command.”
The second bug has to do with how CakePHP translates the URI to endpoint function parameters. It can result in unauthenticated exposure of SD-WAN functionality.
The Citrix SD-WAN infrastructure runs on Apache with CakePHP2 as the framework. Researchers at Realmode found a hole in the way the CakePHP2 framework handles URLs. For that, Citrix uses the function “_url in CakeRequest.php”.
“If our REQUEST_URI contains ? after a :// the beginning of the URI will be removed,” according to Tempelhof, in a Monday posting. “This will cause a discrepancy between how Apache sees the URI and how CakePHP analyzes it, which in turn allows us to bypass the client certificate check for the Collector endpoint.”
For instance, a URI of the form “aaaaaaaaaaaaaaaaa/://?/collector/diagnostics/stop_ping” will translate to /collector/diagnostics/stop_ping and require neither client certificate nor authentication, he said. This allows an unauthenticated attacker to access the ConfigEditor functionality.
As for the third bug, user-supplied data is being JSON encoded and concatenated to an exec call using the code, Tempelhof said.
“In defense of Citrix we’ll admit that it’s hard to anticipate that CakePHP would treat URLs the way that it does,” Tempelhof said. “That’s why performing dedicated security audits on your products is so important.”
Last week, Realmode disclosed three remote code-execution security bugs in the Silver Peak Unity Orchestrator for SD-WAN. They can be chained together to allow network takeover by unauthenticated attackers.
Tempelhof said that his team found similar flaws in two more SD-WAN platforms (all now patched), which will be disclosed soon.
SD-WAN is a cloud-based networking approach used by enterprises and multilocation businesses of all sizes. It allows locations and cloud instances to be connected to each other and to company resources over any type of connectivity, and applies software control to managing that process, including the orchestration of resources and nodes.
It’s a growing market segment, and as such is of interest to cybercriminals. Unfortunately, top SD-WAN vendors have had issues in the past.
For instance, in March, Cisco Systems fixed three high-severity vulnerabilities that could enable local, authenticated attackers to execute commands with root privileges. A similar bug was found a month later in Cisco’s IOS XE, a Linux-based version of Cisco’s Internetworking Operating System (IOS) used in SD-WAN deployments.
And last December, a critical zero-day bug was found in various versions of its Citrix Application Delivery Controller (ADC) and Citrix Gateway products that allowed appliance takeover and RCE, used in SD-WAN implementations. In-the-wild attacks and public exploits quickly piled up after it was announced.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.