Citrix SD-WAN Multiple Security Updates

<section>
<div><div>
<div>
<h2> Description of Problem</h2>
<div>
<div>
<div>
<p>Multiple vulnerabilities have been identified in the management interface of Citrix NetScaler SD-WAN physical appliances and virtual appliances. Collectively these vulnerabilities could allow an unauthenticated attacker with access to the management interface to compromise the host. The vulnerabilities have been assigned the following CVE numbers.</p>
<p>CVE-2018-17444 - Directory traversal in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4.</p>
<p>CVE-2018-17445 - Command Injection in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4.</p>
<p>CVE-2018-17446 - SQL Injection in in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4.</p>
<p>CVE-2018-17447 - Information exposure through log files in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4.</p>
<p>CVE-2018-17448 - Incorrect Access Controls in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4.</p>
<p>CVE-2012-2104 - Munin Remote Command Injection Vulnerability.</p>
<p>CVE-2016-4793 - The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.</p>
<p>Citrix NetScaler SD-WAN WAN Optimization Edition is not affected.</p>
</div>
</div>
</div>
</div>
<div>
<h2> Mitigating Factors</h2>
<div>
<div>
<div>
<p>In order to protect against these vulnerabilities and web application related issues, Citrix recommends access to the management interface of the appliance be restricted. In situations where customers have deployed their appliances in line with industry best practice, network access to this interface should already be restricted.</p>
<p>Security Best Practices:</p>
<p>9.3.x - <a href=“https://docs.citrix.com/en-us/netscaler-sd-wan/9-3/security-best-practices.html”>https://docs.citrix.com/en-us/netscaler-sd-wan/9-3/security-best-practices.html </a></p>
<p>10.x - <a href=“https://docs.citrix.com/en-us/netscaler-sd-wan/10/best-practices/security-best-practices.html”>https://docs.citrix.com/en-us/netscaler-sd-wan/10/best-practices/security-best-practices.html</a> </p>
<p>White listing connections by IP address under: Configuration -> Appliance Settings -> Network Adapters -> IP Address -> Management Interface Whitelist. This feature can be used to ensure only known networks or hosts can connect to the SDWAN management interface.</p>
<p> </p>
</div>
</div>
</div>
</div>
<div>
<h2> What Customers Should Do</h2>
<div>
<div>
<div>
<p>These vulnerabilities have been addressed in the following software versions: </p>
<p>• NetScaler SD-WAN 9.3.6</p>
<p>• NetScaler SD-WAN 10.0.4<b></b></p>
<p>• Citrix SD-WAN 10.1.1</p>
<p>Citrix strongly recommends that customers using vulnerable combinations of hardware and software upgrade their appliances to the new version or later as soon as possible.</p>
<p>The new software versions will be available on the Citrix website. Information on the available versions can be found at the following location:</p>
<p> <a href=“https://www.citrix.com/downloads/netscaler-sd-wan/”>https://www.citrix.com/downloads/netscaler-sd-wan/</a></p>
<p>In line with general best practice, Citrix also recommends that customers limit access to the management interfaces of the NetScaler SD-WAN appliances to trusted network traffic only.</p>
<p> <b> </b>CVE-2016-4793 mitigations are not included in 10.0.4 release but will be addressed in a future release. The interim mitigation for this issue is limiting access to the management interface of the NetScaler SD-WAN appliance to trusted network traffic only.</p>
<p> </p>
</div>
</div>
</div>
</div>
<div>
<h2> Acknowledgements</h2>
<div>
<div>
<div>
<p>Citrix thanks Denis Kolegov, Nikita Oleksov, Nikolay Tkachenko, Oleg Broslavsky, Sergey Gordeychik of <a href=“https://www.scada.sl”>www.scada.sl</a> for working with us to protect Citrix customers.<br /> </p>
</div>
</div>
</div>
</div>
<div>
<h2> What Citrix Is Doing</h2>
<div>
<div>
<div>
<div>
<div>
<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=“http://support.citrix.com/”>http://support.citrix.com/</a></u>.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<h2> Obtaining Support on This Issue</h2>
<div>
<div>
<div>
<div>
<div>
<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=“https://www.citrix.com/support/open-a-support-case.html”>https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<h2> Reporting Security Vulnerabilities</h2>
<div>
<div>
<div>
<div>
<div>
<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – <a href=“http://support.citrix.com/article/CTX081743”>Reporting Security Issues to Citrix</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<h2> Changelog</h2>
<div>
<div>
<div>
<table width=“100%”>
<tbody>
<tr>
<td colspan=“1” rowspan=“1”>Date </td>
<td colspan=“1” rowspan=“1”>Change</td>
</tr>
<tr>
<td colspan=“1” rowspan=“1”>October 22nd 2018</td>
<td colspan=“1” rowspan=“1”>Initial bulletin published</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div></div>
</section>