A software-defined wide-area network (SD-WAN) is a cloud-based networking solution that enterprises and smaller businesses with multiple locations often use. It connects local nodes and cloud instances together in a way that can use any type of connectivity. SD-WAN also uses software to manage this architecture, including nodes and resources.
Researchers have recently discovered three bugs in the Citrix SD-WAN platform that could allow attackers to execute code remotely and take over the network. However, they haven’t yet determined the severity of these issues. The Citrix SD-WAN Center is tracking these bugs as CVE-2020–8271, CVE-2020–8272 and CVE-2020–8273.
CVE-2020-8271 affects versions of the Citrix SD-WAN before 11.2.2. This bug involves the use of stop_ping to create an unauthenticated path traversal and shell injection. Attackers can use it to perform an unauthenticated remote control execution (RCE) with root privileges in Citrix SD-WAN Center. A Citrix advisory reports an attacker must be able to communicate with SD-WAN Center’s Management IP address or a fully qualified domain name (FQDN).
The attacker can exploit CVE-2020-8271 to read the file /tmp/pid by using the collector or diagnostics endpoint for stop_ping, according to Realmode researcher Ariel Tempelhof. The attacker can then specify $req_id, which reads /tmp/pid and uses its contents in a shell_exec call. Citrix SD-WAN fails to sanitize $req_id, which allows the path traversal. Attackers can use this traversal to drop files whose contents they control anywhere they want, and execute a shell command against it.
CVE-2020-8272 affects versions of the Citrix SD-WAN before 11.1.2b and consists of a ConfigEditor authentication bypass. It affects the way in which CakePHP translates the Uniform Resource Indicator (URI) to endpoint function parameters, which can result in an unauthenticated exposure of SD-WAN functionality. An attacker must be able to communicate with SD-WAN Center’s Management IP address or FQDN to exploit this bug.
Citrix SD-WAN runs on Apache and uses CakePHP2 as the framework. It uses the function “_url in CakeRequest.php” to handle Universal Resource Locators (URLs), which is where the bug lies. A REQUEST_URI that contains the character “?” after the string “://” will remove the beginning of the URI, according to according to Tempelhof. This change creates a discrepancy between the way Apache sees the URI and the way CakePHP interprets it, which allows an attacker to bypass the client’s certificate check of the Collector endpoint.
Assume for this example that an attacker uses a URI of the form “xxx/://?/collector/diagnostics/stop_ping”. The bug will translate this URI to “/collector/diagnostics/stop_ping”, which won’t require a client certificate or authentication. The attacker could then access the ConfigEditor functionality.
SD-WAN is of interest to attackers because it’s a growing market segment, and implementations of SD-WAN from top vendors have also had other problems. For example, Realmode recently reported three bugs in the Silver Peak Unity Orchestrator for SD-WAN that were related to the execution of remote code. An unauthenticated attacker could use these bugs in combination to control a network.
Tempelhof’s team also found similar flaws in other SD-WAN platforms, such as a zero-day bug in multiple versions of Citrix Gateway and Application Delivery Controller (ADC) products that allowed attackers to perform RCE and take over appliances. Cisco Systems patched three high-severity vulnerabilities in March that would have allowed local, authenticated attackers to execute commands with root privileges. A similar bug was also found in Cisco’s Internetworking Operating System (IOS) XE, which is a Linux-based version of IOS used in SD-WAN deployments.
Software development: exactly what you think we do. flickr photo by brungrrl shared under a Creative Commons (BY) license