SonicWall Capture Labs Threat Research Team became aware of the threat Citrix Bleed, assessed its impact and developed mitigation measures for the vulnerability.

Citrix NetScaler is an Application Delivery Controller (ADC) and load balancer designed to enhance the performance and security of web-based applications. Produced by Citrix Systems, NetScaler ensures the swift, reliable and secure delivery of applications to devices everywhere. It combines advanced traffic management, application security, content switching and optimization features in one platform.

Citrix NetScaler, encompassing both ADC and NetScaler Gateway, recently came under scrutiny for a vulnerability identified as CVE-2023-4966. As of October 18th, CISA has reported active exploitation of this vulnerability. This flaw pertains to a sensitive information disclosure that can occur when the system is set up as a Gateway (encompassing VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA "virtual" server. Notably, the vulnerability corresponds to CWE-119, which is described as "improper restriction of operations within the bounds of a memory buffer". In some configurations, the sensitive information disclosed can include a valid session token.

The affected versions are:
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

This vulnerability has been patched by Citrix on October 10th and can be mitigated by upgrading to the latest version of NetScaler.

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-4966.

The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:X/RL:X/RC:X).

Base score is 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), based on the following metrics:
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is Low.
Temporal score is N/A (E:X/RL:X/RC:X), based on the following metrics:
  • The exploit code maturity level of this vulnerability is Not Defined.
  • The remediation level of this vulnerability is Not Defined.
  • The report confidence level of this vulnerability is Not Defined.

In an effort to pinpoint the vulnerability, a comparative analysis was conducted between the two specific versions of the software: the older 13.1-48.47 and the newer 13.1-49.15. By meticulously examining the differences and updates between these versions, we were able to identify the exact location of the patch and gain a deeper understanding of the vulnerability's nature. In Figure 1 the differences can be seen by using the tool BinDiff.

The ns_vpn_process_unauthenticated_request function has been meticulously crafted to build and validate the URL /oauth/idp/.well-known/openid-configuration. Within its implementation, there is a significant call to ns_aaa_oauth_send_openid_config, which makes use of the snprintf function as seen in Figure 2.

The primary role of this function is to format and populate the print_temp_rule buffer with a series of characters and values. Delving into its specifics: the destination buffer is print_temp_rule, and it has a Maximum Size of 0x20000, which is equivalent to roughly 128 KB. The format string, a comprehensive JSON object, as seen in Figure 3, details the OpenID Connect configuration.

The snprintf as seen in Figure2, employs multiple %.*s format specifiers which expect a length and a string as paired arguments. These specifiers are used to define various OAuth and OpenID Connect endpoints, with the base URL or domain inferred from the variable host_string. To shed light on the arguments (figure 2): length denotes the length of the host_string and ensures only up to length characters from host_string are printed. The host_string reference is the base URL or domain that fills in the respective URLs in the JSON.

In the aftermath of this operation, not_size_buffer will hold the count of characters intended for print_temp_rule, excluding the null byte, if there were no buffer constraints. This behavior of snprintf is typical: It returns the number of characters it aims to write, irrespective of the size limit that might truncate the actual write-up. Thus, not_size_buffer captures the length of the fully constructed JSON string.

This function's design intricacies go beyond just formatting; there's a security facet to it. Initially, the function would instantly send out the response. But in its patched form, a response is dispatched only if snprintf yields a value less than 0x20000.

There's a vulnerability in how the return value of snprintf is used to determine how many bytes are sent to the client through ns_vpn_send_response. Contrary to what one might expect, snprintf doesn't return the number of bytes it actually writes to the buffer. Instead, it returns the number it would have written if the buffer was large enough. This is where the security risk comes into play. The return value is being incorrectly used as the number of bytes written to the buffer.

  • The target must be running NetScaler Citrix Firmware version prior to 13.1-49.15.
  • The attacker must have network access to the vulnerable software.
  • Sending a GET request to the endpoint: /oauth/idp/.well-known/openid-configuration,
containing Host: a (any 'char' to the power of 24,576).

To exploit this vulnerability, the attacker’s goal is to generate a response that exceeds a buffer size of 0x20000 bytes. If successful, the application would send not only the filled buffer but also the memory following the print_temp_rule buffer, potentially exposing sensitive data or causing other unexpected issues. Proof of concept code has been published and active exploitation of this vulnerability has been reported by CISA on October 18th. Included in the leaked information, depending on the appliance’s configuration, is a 65 byte long hex string which is a valid session cookie. As a resulted an attacker can use this session key to impersonate an active user.

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4130 NetScaler ADC/Gateway Information Disclosure

The risks posed by this vulnerability can be mitigated or eliminated by:
  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up-to-date IPS signatures to filter network traffic.
  • Alternatively, consider taking the server offline.

  • CVE-2023-4966
  • CNA CVSS Metrics
  • Vendor Advisory
  • Citrix Bleed
  • Public POC

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  phpPgAdmin is an open-source, web-based administration tool for managing PostgreSQL, an advanced, enterprise-class, and open-source relational database system. phpPgAdmin is written in PHP and provides a user-friendly interface that allows users to perform various database management tasks. Users can create, modify, and delete databases, tables, and records through this interface, making it a valuable tool for those who prefer a graphical user interface over command-line interaction.

  It has been reported that phpPgAdmin 7.14.4 and earlier versions have a deserialization vulnerability. Deserialization vulnerabilities occur when an application unsafely processes external input during the deserialization process, potentially leading to code execution, denial of service, or elevation of privileges. This vulnerability underscores the importance of using secure coding practices and regularly updating software to protect against known vulnerabilities.

  Vendor Homepage

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-40619.

  CVE Listing

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept code.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

  The doEmpty function in the tables.php file is responsible for emptying tables in a database, and it is designed to handle both single and multiple table emptying operations. It works by taking user input from the $_REQUEST['ma'] or $_REQUEST['table'] global variables, which are populated by the client through HTTP GET or POST requests. When multiple tables are specified through $_REQUEST['ma'], the function iterates over each table, unserializes the user input, and performs the emptying operation on each specified table. The use of the unserialize function here is critical as it exposes a potential security vulnerability known as PHP Object Injection due to the way it handles serialized objects.

  PHP Object Injection vulnerabilities occur when user-supplied input is passed to the unserialize function, which can result in the instantiation of objects and the execution of the magic method __wakeup. In this specific case, the user could potentially pass a serialized object with a malicious __wakeup method to the $_REQUEST['ma'] variable, leading to the execution of arbitrary PHP code. This could allow an attacker to perform various malicious activities, such as executing system commands, creating, deleting, or modifying files, or even launching attacks against other systems. Consequently, the use of unserialize on user-supplied data in this function poses a severe security risk and could lead to a full server compromise if exploited successfully.

  To mitigate the risks associated with this vulnerability, it is crucial to avoid using the unserialize function on user-supplied input. Instead, alternative methods for handling user data, such as JSON encoding and decoding, should be employed. Additionally, input validation and sanitization should be implemented to ensure that only expected and safe data is processed by the application.

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious serialized payloads to the tables.php endpoint.
  • The query string parameter 'ma' is used to trigger the 'unserialize' function by injecting serialized data.

  The unserialize() deserialization vulnerability in PHP occurs when the unserialize() function is passed user input without adequate validation, consequently triggering magic methods like __wakeup() or __destruct() in an object-oriented context. These magic methods are invoked automatically during deserialization, providing an avenue for attackers to execute malicious code or carry out other harmful activities. The vulnerability underscores the importance of validating or sanitizing user input and avoiding the use of unserialize() with untrusted data, to prevent potential exploitation.

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  • IPS:15919 phpPgAdmin Insecure Deserialization

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signature above.
  A Third Party has released the following advisory regarding this vulnerability:
  Third Party Advisory

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Rockwell Automation's ThinManager is designed for managing thin clients, mobile devices, cameras, and industrial devices. Comprising both client and server components, the client facilitates device configuration while the server handles data transfer and client requests. To maintain data consistency across the system, ThinManager servers synchronize using messages sent via port TCP/2031. These messages, based on a proprietary protocol, are initiated with a Type value, with a notable emphasis on Type 13 messages.

  A significant vulnerability, specifically an integer overflow, has been identified in the Rockwell Automation ThinManager ThinServer. The root of this vulnerability is tied to the improper validation of input, particularly when processing Type 13 synchronization messages.

  This vulnerability is not merely a theoretical concern. In practical terms, a remote attacker, even without authentication, could harness this flaw. By dispatching a specially crafted request to the targeted server, they could exploit this vulnerability. If successful, the outcome could be severe, leading to a potential denial of service for the affected system.

  Vendor Homepage

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2914.

  CVE Listing

  The overall CVSS score is 7.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C).

  Base score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

  The vulnerability arises due to the unchecked value in the "Length of data" field. Specifically, this value is added to the current position pointer, which is set at 12 (0xC), without any prior verification.

  However, a problem emerges when a value exceeding 2,147,483,635 (0x7FFFFFF3) is inputted for the "Length of data" field. When combined with the current position pointer's value, it leads to an overflow, converting the resultant value into a negative signed 4-byte integer. This altered "calcLength" value, now being negative, would successfully pass the condition that checks if "calcLength" is less than or equal to "remainLength".

  This oversight is critical. As the aforementioned condition is met, the memcpy() function is subsequently invoked with an excessively large "Size" parameter. This can potentially trigger an out-of-bounds read error, culminating in the abrupt termination of the server.

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.

  The process begins when the attacker issues a request to establish a connection with the server. Once the server responds affirmatively to this request, a vulnerability is exposed. It is at this point that the attacker exploits the flaw by dispatching a Type 13 message containing an unusually expansive "Length of data" field. This action triggers the vulnerability, potentially compromising the system.

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Rockwell Automation ThinManager ThinServer Synchronization Protocol

  Attack Packet:
  

  • IPS: 4020 Rockwell Automation ThinServer Integer Overflow

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The Netgear ProSAFE Network Management System (NMS300) is a centralized and comprehensive management application designed for network administrators. It enables them to discover, monitor, configure, and report on SNMP-based enterprise-class network devices. The Netgear Network Management System NMS300 provides insights into network elements, including third-party devices, and its web-based user interface simplifies the process of monitoring and administering an entire network.

  An SQL injection vulnerability has been reported in Netgear ProSafe NMS300. This vulnerability arises due to improper input validation in the getNodesByTopologyMapSearch component.

  A remote, authenticated attacker could exploit this vulnerability by sending a specially crafted request to the target server. Successful exploitation of this vulnerability could result in SQL injection or, in the worst-case scenario, remote code execution in the context of the SYSTEM user.

  Vendor Homepage

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-38099.

  CVE Listing

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

  When a user navigates to the device list through the topology map search feature, an HTTP GET request is dispatched to the Request-URI "/topology.do?method=getDeviceListByDim". Upon receipt of this request, the function TopologyMapController.getDeviceByDim() is invoked. This function displays the values of all devices identified in the preceding search request. Multiple parameter values are saved into different variables, with the 'exclude' parameter being of particular relevance to this vulnerability. The value for the 'exclude' parameter is stored in the 'exclude' variable.

  Following this, the NodeInfoDao.getNodesTopologyMapSearch() method is invoked, passing the 'exclude' variable's value into the 'equips' variable. This function is responsible for constructing and running the SQL query needed to fetch the specified device list. The corresponding SQL query is stored as a string in the 'sql' variable:
  
  If the 'equips' variable's value is not empty, the string " and nodeId not in (equips) " is appended to the 'sql' variable's value (where equips is replaced by the 'equips' variable's value). The SQL query contained in the 'sql' variable is then executed, and the result of the query is returned.

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.
  • The attacker must have permission to view the device list via the Topology map search component.

  The vulnerability is triggered when the HTTP request is received that includes an embedded SQL injection which will get triggered when the request is processed.

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
  What a successful GET Request might look like:
  

  • IPS: 4001 NETGEAR ProSAFE NMS300 SQL Injection

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  OpenEMR is a comprehensive open-source electronic health records (EHR) and medical practice management application. It provides an array of functionalities aimed at enhancing the efficiency of medical practice management. Among the critical features it provides are patient statistics, medical billing, electronic medical record (EMR) generation, and appointment scheduling. The listed capabilities empower medical practitioners, clinics, and hospitals to effectively manage and coordinate patient schedules, maintain detailed patient records, and streamline the billing process electronically. OpenEMR is designed with a flexible, user-friendly interface, making it an accessible solution for healthcare providers aiming to digitize and optimize their administrative and patient care processes. As an open-source platform, it also affords the flexibility of customization according to individual or institutional needs, further enhancing its applicability across a broad range of healthcare settings.

  A reflected cross-site scripting vulnerability has been identified in OpenEMR. This vulnerability arises from inadequate input validation associated with the 'list_id' parameter in 'share_template.php'.

  A remote attacker could exploit this vulnerability by enticing a victim to open a crafted URL. Successfully exploiting this vulnerability could result in arbitrary code execution in the context of the victim's browser.

  Vendor Homepage

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2948.

  CVE Listing

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

  The vulnerability stems from inadequate validation of the "list_id" parameter in the "share_template.php" file. When a request is submitted to the RequestURI at "library/custom_template/share_template.php", it leads to the generation of HTML content by "share_template.php". This content also encompasses some JavaScript code. Within the context of this generated JavaScript code, the value of the "list_id" parameter is manifested in the definition of a function called "add_template()", as illustrated below:
  
  where $list_id is sanitized first by using PHP htmlspecialchars() function.

  However, the use of htmlspecialchars() for XSS sanitization in this case is ineffective, as it only escapes the characters "<", ">", and single and double quotes. An attacker can bypass this limitation by sending malicious JavaScript code that excludes these specific characters in the "list_id" request parameter and delivering the request to the "share_template.php" endpoint. With a specially tailored "list_id" value, the attacker can interfere with the original "add_template()" function definition and append their own JavaScript code immediately after it. For instance, consider a situation where the "list_id" parameter contains a skillfully crafted value like the one below:
  
  Then "share_template.php" will generate the JavaScript code HTML format as below:
  
  In this scenario, the crafted value allows the original "add_template()" function definition to be escaped and a script command - "alert(55555)" - to be inserted right after the function's conclusion. Consequently, the "alert(55555)" will execute when the server-returned HTML content is loaded in the user's browser. If the "alert(55555)" were to be swapped with a different malicious script, it would lead to the execution of this harmful code in the browser, potentially triggering XSS opportunities.

  • The target system must have the vulnerable product installed and running.
  • The target user must have network connectivity to the affected ports.
  • The attacker must be able to deliver a malicious URL to a target user.

  A user is lured by an attacker into opening a URL that contains a carefully designed list_id parameter. The vulnerability manifests itself when the user initiates the URL in a web browser.

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
  

  • IPS: 19216 OpenEMR Cross-Site Scripting

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following patch to address this issue:
  Vendor Advisory