CVE-2019-12991
Published: 16 July 2019
Summary
CVE-2019-12991 is a high-severity OS Command Injection (CWE-78) vulnerability in Citrix Netscaler Sd-Wan. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an improper input validation vulnerability tracked as CVE-2019-12991 and CWE-78. The flaw is one of six related issues in the affected releases and carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and low required privileges.
An attacker with low-privileged network access can supply crafted input that bypasses validation checks, enabling authentication bypass followed by remote command execution. Successful exploitation grants full control over the appliance, allowing arbitrary command execution with impacts to confidentiality, integrity, and availability.
Citrix advisory CTX251987 and associated Tenable research note that the issues are resolved in SD-WAN 10.2.3 and NetScaler SD-WAN 10.0.8. Public proof-of-concept code demonstrating the authentication bypass and remote command execution path has been published on Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-4566
Vulnerability details
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the SD-WAN appliance, blocking the crafted data that triggers the CWE-78 command injection and subsequent auth bypass.
Enforces access-control decisions on every network request, preventing the low-privilege authentication bypass that leads to RCE.
Requires identification and authentication of organizational users before any privileged actions, mitigating the authentication-bypass path described in the CVE.