We use cookies to improve your experience on our site and enable certain core website functionalities. For more information, visit our Privacy Policy page.

Accept
  • Insights

Citrix SD-WAN Security Bulletin

Jeff Silverman

< 1 min read

All Insights

Issue

Vulnerabilities have been discovered in Citrix Endpoint Management (XenMobile Server), which, collectively, may allow a XenMobile console user with either an admin role or a custom role that has ‘Create Support Bundles’ enabled, to gain root access to the underlying OS.

To review all 4 Citrix vulnerabilities announced on April 12th, please read our digest.

CVD-ID Description CWE Affected Products Pre-Conditions
CVE-2022-27505 Reflected cross-site scripting (XSS) CWE-79: Improper neutralization of input during web page generation (cross-site scripting) Citrix SD-WAN Standard/Premium Edition Appliance Victim user must have a current session on the vulnerable device
CVE-2022-27506 Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI CWE-798: Use of hard-coded credentials Citrix SD-WAN Center Management Console, Citrix SD-WAN Standard/Premium Edition Appliance, and Citrix SD-WAN Orchestrator for On-Premises Admin access to SD-WAN CLI 

 

Affected versions

The following supported versions of Citrix SD-WAN are affected by the vulnerabilities

  • CVE-2022-27505 – High Severity
    • Citrix SD-WAN Standard/Premium Edition Appliance before 11.4.3a
  • CVE-2022-27506 – Low Severity
    • Citrix SD-WAN Center Management Console versions before 11.4.3
    • Citrix SD-WAN Standard/Premium Edition Appliance versions before 11.4.1
    • Citrix SD-WAN Orchestrator for On-Premises versions before 13.2.1

Mitigating Factors

 CVE-2022-27506: This issue is only exposed to administrators with access to the SD-WAN CLI

Recommended Action

  • CVE-2022-27505:

Citrix recommends that affected customers upgrade to a fixed version as soon as possible. This issue has been addressed in the following supported Citrix SD-WAN versions:

    • Citrix SD-WAN Standard/Premium Edition Appliance versions 11.4.3a and above
  • CVE-2022-27506:

Citrix recommends that affected customers upgrade to a fixed version as their patching schedule allows. This issue has been addressed in the following supported Citrix SD-WAN versions:

    • Citrix SD-WAN Center Management Console versions 11.4.3 and above
    • Citrix SD-WAN Standard/Premium Edition Appliance versions 11.4.1 and above
    • Citrix SD-WAN Orchestrator for On-Premises versions 13.2.1 and above

More Information

https://support.citrix.com/article/CTX370550