CVE-2017-6316
Published: 20 July 2017
Summary
CVE-2017-6316 is a critical-severity an unspecified weakness vulnerability in Citrix Netscaler Sd-Wan. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Citrix NetScaler SD-WAN appliances through version 9.1.2.26.561201 contain a remote command execution flaw that permits unauthenticated attackers to run arbitrary shell commands as root by supplying a crafted CGISESSID cookie; the same issue previously affected CloudBridge devices under the cookie name CAKEPHP. The vulnerability received a CVSS v3 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An attacker with network access to the management interface can therefore achieve full system compromise simply by sending a malicious cookie value, bypassing all authentication controls and obtaining a root shell on the device.
Citrix addressed the issue in security bulletin CTX225990, while public exploit code has been published on Exploit-DB. The flaw affects the web management component and requires no special configuration beyond the default cookie handling present in the listed firmware versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-15377
Vulnerability details
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the management interface before any cookie-derived session can execute root-level commands.
Requires non-bypassable identification and authentication for all organizational users accessing the SD-WAN web management component.
Mandates validation of the CGISESSID (or CAKEPHP) cookie value to reject malformed content that would otherwise result in arbitrary shell command execution.