Vulmon
Description of Problem
A command injection vulnerability has been identified in the management console of Citrix SD-WAN Center and NetScaler SD-WAN Center. This vulnerability could allow an unauthenticated attacker with access to the management console to compromise the host. A low severity cross-site scripting (XSS) vulnerability has been identified in the management console of Citrix SD-WAN Center and NetScaler SD-WAN Center. This vulnerability if exploited by an attacker, could potentially be used to execute malicious client-side script in the browser of a user then the script may be able to gain access to potentially sensitive information. The vulnerabilities have been assigned the following CVE numbers.
CVE-2019-10883: (Critical) Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7.
CVE-2019-11345: (Low) Cross-Site Scripting in Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7.
Affected Versions:
- All versions of NetScaler SD-WAN Center 9.x *
- All versions of NetScaler SD-WAN Center 10.0.x earlier than 10.0.7
- All versions of Citrix SD-WAN Center 10.1.x *
- All versions of Citrix SD-WAN Center 10.2.x earlier than 10.2.1
* Upgrade to 10.0.7 or 10.2.1 for security update
Mitigating Factors
In order to protect against this vulnerability and web application related issues, Citrix recommends access to the management console be restricted. In situations where customers have deployed their management console in line with industry best practice, network access to this interface should already be restricted.
Security Best Practices:
10.x - https://docs.citrix.com/en-us/netscaler-sd-wan/10/best-practices/security-best-practices.html
What Customers Should Do
This vulnerability has been addressed in the following software versions:
• NetScaler SD-WAN Center 10.0.7
• Citrix SD-WAN Center 10.2.1
Citrix strongly recommends that customers using vulnerable software update their management console to the new version or later as soon as possible.
If you are using a version of SD-WAN that is no longer supported, you should upgrade to the new version of the product that includes the security update.
The new software versions will be available on the Citrix website. Information on the available versions can be found at the following location:
https://www.citrix.com/downloads/netscaler-sd-wan/
In line with general best practice, Citrix also recommends that customers limit access to the management console of the Citrix SD-WAN Center / NetScaler SD-WAN Center to trusted network traffic only.
Acknowledgements
Citrix thanks Tenable, Inc. (CVE-2019-10883) and Vasile Revnic (CVE-2019-11345) for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| 10th April 2019 | Initial publishing |
| 23rd April 2019 | Added CVE-2019-11345 |