Researchers have found critical vulnerabilities in Citrix SD-WAN, one of the most widely used SD-WAN solutions out there, and are urging administrators to patch them as soon as possible.
The vulnerabilities and associated risks
Tenable researcher Chris Lyne unearthed two vulnerabilities in the Citrix SD-WAN appliance (formerly known as NetScaler SD-WAN) and six in the SD-WAN Center, a management system which allows enterprises to oversee all SD-WAN appliances on their WAN.
“In the SD-WAN Center, multiple remote code execution (RCE) vulnerabilities can be exploited without authentication to gain root access. In the SD-WAN appliance, an unauthenticated SQL injection can be used to bypass authentication. When combined with an authenticated command injection, an attacker can achieve unauthenticated RCE,” Tenable warns.
All of the vulnerabilities can apparently be easily exploited remotely by an unauthenticated attacker, and Tenable has published PoC exploit code for some.
“The only requirement [for a successful exploitation] is that the attacker must be able to reach an instance of either SD-WAN or SD-WAN Center,” Tenable pointed out.
“This requirement would be determined by how the instance is positioned in a network topology. Consequently, the threat actor could range from an insider threat to an external attacker.”
Ultimately, the attacker could end up bringing down the connectivity or even the entire WAN of an organization’s specific branch location (or just make harmful configuration changes to the SD-WAN).
Patches are available
Citrix has fixed the flaws relatively quickly and pushed out new software versions with them earlier this month
The company has confirmed that all versions of NetScaler SD-WAN 9.x, NetScaler SD-WAN 10.0.x earlier than 10.0.8, Citrix SD-WAN 10.1.x and Citrix SD-WAN 10.2.x earlier than 10.2.3 are vulnerable.
Admins are advised to upgrade to:
- NetScaler SD-WAN Center 10.0.8 and NetScaler SD-WAN 10.0.8 Appliance
- Citrix SD-WAN Center 10.2.3 and Citrix SD-WAN 10.2.3 Appliance.
They also advise them to limit access to the management console of the Citrix SD-WAN Appliance / NetScaler SD-WAN Appliance to trusted network traffic only.