cbcvebase.
CVE-2017-6316
published 2017-07-20

CVE-2017-6316: Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
72.60%
99.4th percentile
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.

Affected

10 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_adc_gateway
citrixnetscaler_gateway
citrixnetscaler_sd-wan<= 9.1.2.26.561201
citrixsd-wan
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

cookieCGISESSID=<payload>
cookieCAKEPHP=<payload>
cookieCGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`<cmd>`
path/global_data/
path/cgi-bin/login.cgi
path/tmp/n
path/tmp/m
path/home/talariuser/www/app/Controller/UsersController.php
path/login
commandsudo /tmp/n
commandsudo /tmp/m
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_6316, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_26;)
  • Detect POST requests to /global_data/ with backtick characters in the Cookie header (CGISESSID), which indicates command injection attempt.
  • Monitor for POST requests to /cgi-bin/login.cgi with a CAKEPHP cookie value containing backtick-wrapped shell commands (CloudBridge devices).
  • Alert on POST to /login with username field containing backtick-wrapped commands (SD-WAN Center variant via UsersController.php).
  • Watch for creation or execution of dropped ELF payloads at /tmp/m or /tmp/n following exploitation, especially via sudo.
  • The Snort/ET rule (sid:2029164) keys on: POST method, URI length of exactly 13 bytes (/global_data/), and backtick in the cookie — all three together are a strong signal.
  • ·The vulnerable cookie name differs by product: CGISESSID on NetScaler SD-WAN appliances, CAKEPHP on CloudBridge (former name) devices. Detection rules must cover both cookie names.
  • ·A related but distinct unauthenticated RCE exists in SD-WAN Center (10.2.0.136.733315) via the username POST parameter to /login — not the cookie — requiring separate detection logic.
  • ·The ET Snort rule (sid:2029164) is tuned for outbound traffic ($HOME_NET -> $EXTERNAL_NET) and a URI length of exactly 13 bytes; perimeter placement is recommended per rule metadata.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.