Description
A major Citrix ShareFile secure file transfer vulnerability, identified as CVE-2023-24489, is being targeted by unknown actors, according to Cybersecurity and Infrastructure Security Agency (CISA), which has added the vulnerability to its list of known security flaws that have been used in real-world attacks. Customers and workers can securely upload and download files using the managed file transfer Software as a service (SaaS) cloud storage service known as Citrix ShareFile (previously known as Citrix Content Collaboration).
Additionally, the service provides enterprise customers with a “Storage zones controller” solution that enables them to set up their private data storage to host files at compatible cloud infrastructures like Windows Azure and Amazon S3.
Details
According to Citrix, a vulnerability in the customer-managed ShareFile storage zones controller has been identified that, if exploited, might give an unauthenticated attacker remote access to the customer-managed ShareFile storage zones controller. AssetNote, a cybersecurity company, informed Citrix of the weakness and cautioned in a technical article that it was brought about by a few inconsistencies in ShareFile”s use of AES encryption. The AssetNote researchers stated, “Through our investigation we were able to obtain unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly harmless cryptographic issue. A threat actor might use this vulnerability to upload a web shell to a device, giving them complete access to the storage and all its files.
Threat actors frequently take advantage of these loopholes, and CISA warns that doing so puts government enterprises at serious risk. While CISA issues similar cautions in numerous advisories, managed file transfer (MFT) solution weaknesses are of special concern since threat actors have extensively used them to steal data from businesses in extortion attempts.
One ransomware organization known as Clop has shown a particular interest in targeting these types of loopholes and leveraging them in extensive data theft assaults. Since then, Clop has used zero-day vulnerabilities in SolarWinds Serv-U, GoAnywhere MFT, and, most recently, the widespread attacks on MOVEit Transfer servers, to carry out many data-theft activities.
Additionally, the service provides enterprise customers with a “Storage zones controller” solution that enables them to set up their private data storage to host files at compatible cloud infrastructures like Windows Azure and Amazon S3.
Remediation
Despite this defect being the subject of any publicly known exploitation or data theft, CISA mandates that Federal Civilian Executive Branch (FCEB) organizations patch this vulnerability by September 6, 2023. All businesses should implement the patches as quickly as feasible, nevertheless, given the extremely targeted nature of these flaws.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Citrix ShareFile vulnerability deemed critical by CISA exploited in the wild.pdf
References
Abrams, L. (2023, August 16). CISA warns of critical Citrix ShareFile flaw exploited in the wild. Retrieved from BleepingComputer.
https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-citrix-sharefile-flaw-exploited-in-the-wild/
ShareFile StorageZones Controller Security Update for CVE-2023-24489. (2023, June 13). Retrieved from Citrix.
https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489