Citrix SD-WAN Bugs Allow Remote Code Execution

Three security bugs in the Citrix software-defined (SD)-WAN platform would allow remote code-execution and network takeover, according to researchers. The flaws affect the Citrix SD-WAN Center (in versions before 11.2.2, 11.1.2b and 10.2.8). They consist of an unauthenticated path traversal and shell injection problem in stop_ping (CVE-2020–8271); a ConfigEditor authentication bypass (CVE-2020–8272); and a CreateAzureDeployment shell injection issue (CVE-2020–8273). Severity scores have not yet been issued. In the first two cases, an attacker must be able to communicate with SD-WAN Center’s Management IP address or fully qualified domain name (FQDN), according to Citrix’s advisory, issued last week. For the third, an attacker would need to be authenticated. The first vulnerability allows unauthenticated RCE with root privileges in Citrix SD-WAN Center, according to Citrix. A writeup from Realmode Labs on Monday went into more detail on where it exists. For CVE-2020–8271, “the /collector/diagnostics/stop_ping endpoint reads the file /tmp/pid_,” according to Realmode researcher Ariel Tempelhof. “$req_id and uses its contents in a shell_exec call. No sanitization is performed on the user supplied $req_id which allows path traversal. One can drop a file with user-controlled content anywhere (for example, using /collector/licensing/upload) and run an arbitrary shell command.” The second bug has to do with how CakePHP translates the URI to endpoint function parameters. It can…

Source