Description of Problem
Vulnerabilities have been discovered in multiple Citrix SD-WAN products. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID |
Description |
CWE |
Affected Products |
Pre-conditions |
CVE-2022-27505 |
Reflected cross site scripting (XSS)
|
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Citrix SD-WAN Standard/Premium Edition Appliance |
Victim user must have a current session on the vulnerable device. |
CVE-2022-27506 |
Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI |
CWE-798: Use of Hard-coded Credentials |
Citrix SD-WAN Center Management Console, Citrix SD-WAN Standard/Premium Edition Appliance, and Citrix SD-WAN Orchestrator for On-Premises |
Admin access to SD-WAN CLI |
The following supported versions of Citrix SD-WAN are affected by the vulnerabilities
-
CVE-2022-27505 – High Severity
Citrix SD-WAN Standard/Premium Edition Appliance before 11.4.3a
-
CVE-2022-27506 – Low Severity
Citrix SD-WAN Center Management Console versions before 11.4.3
Citrix SD-WAN Standard/Premium Edition Appliance versions before 11.4.1
Citrix SD-WAN Orchestrator for On-Premises versions before 13.2.1
Mitigating Factors
-
CVE-2022-27506: This issue is only exposed to administrators with access to the SD-WAN CLI
What Customers Should Do
-
CVE-2022-27505:
Citrix recommends that affected customers upgrade to a fixed version as soon as possible. This issue has been addressed in the following supported Citrix SD-WAN versions:
Citrix SD-WAN Standard/Premium Edition Appliance versions 11.4.3a and above
-
CVE-2022-27506:
Citrix recommends that affected customers upgrade to a fixed version as their patching schedule allows. This issue has been addressed in the following supported Citrix SD-WAN versions:
Citrix SD-WAN Center Management Console versions 11.4.3 and above
Citrix SD-WAN Standard/Premium Edition Appliance versions 11.4.1 and above
Citrix SD-WAN Orchestrator for On-Premises versions 13.2.1 and above
Acknowledgements
What Citrix is Doing
Obtaining Support on This Issue
Subscribe to Receive Alerts
Reporting Security Vulnerabilities to Citrix
Disclaimer
Changelog
Date | Change |
2022-04-12 | Initial Publication |