Don’t let attackers eat CakePHP2
UPDATED Enterprises that use the Citrix SD-WAN Center (SDWC) have been urged to update their systems to protect their networks from malicious takeover.
Security researchers from Realmode Labs issued the warning after chaining an authentication bypass flaw in the Collector endpoint with a stop_ping shell injection to achieve pre-authenticated remote code execution (RCE).
“This is a major vulnerability which allows someone to intercept traffic or take down your whole international network,” said Ariel Tempelhof, co-founder and CEO of the Tel Aviv-based cybersecurity firm of the bug, which is being tracked as CVE-2020-8271.
However, Fermin Serna, chief information security officer at Citrix, told The Daily Swig: “The significant mitigating factor in this vulnerability is the exposure of the SD-WAN to the Internet, which is against the recommended installation process.
“In order to exploit it, attackers would need to communicate with SD-WAN center management, and we advise that management never be put outside of the firewall.”
A blog post published by Realmode Labs yesterday (November 15) also documents the discovery of an authentication bypass in ConfigEditor (CVE-2020-8272) and a shell injection on the CreateAzureDeployment endpoint (CVE-2020-8273).
Probing a previous patch
SD-WAN (Software-defined Wide Area Network) architecture helps enterprises optimize their use of transport services to improve the performance and lower the costs of running SaaS, cloud, and virtual applications.
Citrix’s SD-WAN Center is a centralized management system that enables sysadmins to configure, monitor, and analyze all of the SD-WAN appliances on their wide area network.
When it came to developing this latest exploit, the Realmode researchers probed a 2019 fix applied by Citrix after Tenable’s Chris Lyne fashioned an RCE chain affecting the SDWC and SD-WAN appliance.
Here, Citrix resolved an authentication bypass bug that used the Collector endpoint to reach diagnostics by adding access restriction in the Apache configuration.
The fix, which blocked access to Collector unless a vendor-signed client certificate was presented, initially proved robust, so the researchers turned their attention to how the CakePHP2 framework underpinning Citrix SD-WAN handled URLs, assisted by Lyne’s Intro to CakePHP.
Piece of cake
Examining the function _url in the CakeRequest.php, the researchers found that a REQUEST_URI containing ? after :// removed the first part of the URI, causing a discrepancy between how the URI was perceived by Apache and CakePHP and a means to bypass the client certificate check.
“A URI of the form aaaaaaaaaaaaaaaaa/://?/collector/diagnostics/stop_ping will translate to /collector/diagnostics/stop_ping and require neither client certificate nor authentication”, said Tempelhof.
Tempelhof said Realmode Labs remained unsure “whether this is a Citrix vulnerability or a much wider CakePHP2 one”.
The researchers achieved path traversal because sanitization was not performed on $req_id, which uses the /tmp/pid_ file read by /collector/diagnostics/stop_ping in a shell_exec call.
The research is the second instalment of a four-part series of Realmode Labs blog posts uncovering now-remedied RCE chains in four popular SD-WAN platforms.
As reported by The Daily Swig last week, the series kicked off with Silver Peak’s Unity Orchestrator.
Tempelhof said he notified Citrix of the flaws “in mid August”.
Tempelhof, who undertook the research with colleague Yaar Hahn, told The Daily Swig: “The main bug is not entirely Citrix’s fault. The Collector auth bypass bug was caused because of bad integration between Apache & CakePHP.
“From a developer perspective, these kinds of bugs are the hardest to spot. That's why we believe every integration with a 3rd party framework should undergo a security assessment before proceeding to production.”
Fermin Serna of Citrix added: “We commit significant resources to detect and respond quickly and effectively to vulnerabilities and work closely with outside security experts to minimize their impact and ensure that our customers are safe.
“Recognizing that we live in a dynamic threat environment, we are continually working to enhance our security posture and protocols and have added staff to our technical support call centers to be sure we are prepared to provide our customers with the support they need to maintain the integrity of their systems and data.”
This article was updated on November 16 with comments from Citrix. Incorrect information regarding market share was also removed on November 18 – thanks to reader Avishay Zawoznik for pointing out the oversight.