Critical Citrix ShareFile vulnerability under active attack called out by CISA

Unauthenticated attackers are able to upload arbitrary files to compromised systems

Critical Citrix ShareFile vulnerability under active attack called out by CISA

Image:
Critical Citrix ShareFile vulnerability under active attack called out by CISA

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the Citrix ShareFile storage zones controller (CVE-2023-24489) to its Known Exploited Vulnerabilities (KEV) catalogue.

The flaw, which has a CVSS score of 9.8, is being actively exploited, according to the agency. It allows a remote unauthenticated attacker to compromise vulnerable Citrix ShareFile instances due to insecure access controls for handling cryptographic operations.

Threat actors are able to upload arbitrary files to the compromised system and achieve remote code execution (RCE).

All currently supported ShareFile storage zones controller versions prior to 5.11.24 are affected, according to a Citrix advisory.

Customers using on-premises or self-managed ShareFile storage zones controllers are urged to upgrade as soon as possible. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.

The vulnerability was discovered and reported by Dylan Pindur of Assetnote in July.

Evidence of exploitation by hackers was first seen later in July. The identity of the threat actors is currently unknown.

File sharing services are popular targets for cyberattacks, which is one reason for CISA's call to action.

The Clop ransomware gang recently absconded with the data from hundreds of large companies and public sector organisations through a supply chain attack on MOVEiT file sharing software.

Citrix NetScalar vulnerability

The new addition to the KEV catalogue comes amid existing concerns over active attacks exploiting another critical vulnerability CVE-2023-3519 in Citrix NetScaler.

In July, CISA warned that this vulnerability had been used in an attack on a critical infrastructure organisation in the US, where the attackers were able to steal credentials from Active Directory.

This vulnerability has also been patched, with Citrix urging affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

However, it is reported that a threat actor has already comprised almost 2,000 Citrix NetScaler servers.

Update

A spokesperson from ShareFile contacted Computing with a link to the company's latest security update, saying a fix for CVE-2023-24489 was released on 11th May with Version 5.11.24 one month before the security bulletin was issued. The company said that by 13th June, over 83% of these customers had patched their environments, before the incident was made public. Also, by 13th June, all unpatched SZC hosts were blocked from connecting to the ShareFile cloud control plane, making unpatched SZC hosts unusable with ShareFile. The incident affected less than 3% of customers and no data theft was reported.