Contact Support

Customers who viewed this article also viewed

CTX285061 {{tooltipText}}

Citrix SDWAN Center Security Update

Applicable Products

  • Citrix SD-WAN

Description of Problem

Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root.

These vulnerabilities have the following identifiers:

CVE Description Vulnerability Type Pre-conditions 
CVE-2020-8271  Unauthenticated remote code execution with root privileges CWE-23: Path Traversal An attacker must be able to communicate with SD-WAN Center's Management IP/FQDN
CVE-2020-8272 Authentication Bypass resulting in exposure of SD-WAN functionality CWE-287: Improper Authentication An attacker must be able to communicate with SD-WAN Center's Management IP/FQDN
CVE-2020-8273 Privilege escalation of an authenticated user to root CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The attacker must be an authenticated user on SD-WAN Center

The following supported versions of Citrix SD-WAN Center are affected by these issues:

  • Citrix SD-WAN 11.2 before 11.2.2
  • Citrix SD-WAN 11.1 before 11.1.2b
  • Citrix SD-WAN 10.2 before 10.2.8

Other versions are now End of Life and no longer supported.

Mitigating Factors

Citrix SD-WAN Center is an internal management platform for Citrix SD-WAN and access to Citrix SD-WAN Center is likely to be restricted.

What Customers Should Do

The issues have been addressed in the following versions of Citrix SD-WAN Center: 

  • Citrix SD-WAN 11.2.2 and later versions of Citrix SD-WAN 11.2 
  • Citrix SD-WAN 11.1.2b and later versions of Citrix SD-WAN 11.1
  • Citrix SD-WAN 10.2.8 and later versions of Citrix SD-WAN 10.2 

Affected customers are strongly recommended to immediately update their deployments.

 

The latest versions of Citrix SD-WAN Center are available at: https://www.citrix.com/en-gb/downloads/citrix-sd-wan/

Acknowledgements

Citrix would like to thank Ariel Tempelhof of Realmode Labs for working with us to protect Citrix customers.

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at  http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at  https://www.citrix.com/support/open-a-support-case.html

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html

Changelog

Date  Change
2020-11-10 Initial Publication