cbcvebase.
CVE-2020-8195
published 2020-07-10

CVE-2020-8195: Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN…

PriorityP182medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
33.26%
98.2th percentile
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.

Affected

22 ranges
VendorProductVersion rangeFixed in
citrixapplication_delivery_controller_firmware>= 10.5 < 10.5-70.1810.5-70.18
citrixapplication_delivery_controller_firmware>= 11.1 < 11.1-64.1411.1-64.14
citrixapplication_delivery_controller_firmware>= 12.0 < 12.0-63.2112.0-63.21
citrixapplication_delivery_controller_firmware>= 12.1 < 12.1-57.1812.1-57.18
citrixapplication_delivery_controller_firmware>= 13.0 < 13.0-58.3013.0-58.30
citrixcitrix_adc
citrixcitrix_application_delivery_controller
citrixcitrix_gateway
citrixcitrix_sd-wan_wanop
citrixgateway_firmware>= 13.0 < 13.0-58.3013.0-58.30
citrixgateway_plug-in_for_linux< 1.0.0.1371.0.0.137
citrixnetscaler_adc
citrixnetscaler_gateway
citrixnetscaler_gateway_firmware>= 10.5 < 10.5-70.1810.5-70.18
citrixnetscaler_gateway_firmware>= 11.1 < 11.1-64.1411.1-64.14
citrixnetscaler_gateway_firmware>= 12.0 < 12.0-63.2112.0-63.21
citrixnetscaler_gateway_firmware>= 12.1 < 12.1-57.1812.1-57.18
citrixsd-wan
citrixsd-wan_wanop>= 10.2 < 10.2.710.2.7
citrixsd-wan_wanop>= 11.0 < 11.0.3d11.0.3d
citrixsd-wan_wanop>= 11.1 < 11.1.1a11.1.1a
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1
url/rapi/filedownload?filter=path:<path>
url/menu/ss?sid=nsroot&username=nsroot&force_setup=1
path/nsconfig/ns.conf
path/etc/passwd
path/var/nstmp
cookieSESSID
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Information Disclosure Attempt Inbound (CVE-2020-8195)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?filter=path|3a 25|2F"; fast_pattern; http.request_body; content:"<clipermission"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8195; classtype:attempted-admin; sid:2031068; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8195, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_21, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)
  • Exploit chain begins with an auth-bypass POST to /pcidss/report with URL params type=allprofiles, sid=loginchallengeresponse1requestbody, username=nsroot, set=1 and Content-Type application/xml; look for HTTP 406 response as a positive indicator of vulnerability.
  • LFI read is performed via POST to /rapi/filedownload with query parameter filter=path:<URL-encoded path>; the request body contains XML starting with <clipermission and includes custom headers X-NITRO-USER and X-NITRO-PASS.
  • The exploit URL-encodes forward slashes as %2F in the path parameter (e.g., filter=path:%2Fetc%2Fpasswd); detect the pattern ?filter=path|3a 25|2F in HTTP URI.
  • Successful session establishment is confirmed by a SESSID cookie in the response; subsequent requests reuse this cookie for the LFI stage.
  • Exploit targets /nsconfig/ns.conf by default, which contains device configuration including credentials; alert on POST requests to /rapi/filedownload referencing this path.
  • Exploit also enumerates /var/nstmp for session files; monitor POST requests to /rapi/filedownload with this path.
  • Presence of root:*:0:0: in the HTTP 406 response body to the /rapi/filedownload request confirms successful LFI exploitation.
  • The exploit uses a rand_key header value extracted from /menu/ss endpoint; monitor GET requests to /menu/ss?sid=nsroot&username=nsroot&force_setup=1 as a precursor step.
  • ·CVE-2020-8195 is chained with CVE-2020-8193 (auth bypass) in the wild; the Snort rule for CVE-2020-8195 (sid:2031068) carries only Medium confidence, while the auth-bypass rule (sid:2031067) carries High confidence — both should be deployed together for full coverage.
  • ·The exploit module notes it is unclear at runtime whether the information disclosure is CVE-2020-8195 or CVE-2020-8196; detections targeting the LFI path may fire for either CVE.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.