Critical Citrix ShareFile Vulnerability Exploited: CISA Issues Warning

August 16, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical vulnerability in Citrix ShareFile, a secure file transfer and cloud storage solution. The vulnerability, tracked as CVE-2023-24489, is being exploited by unknown threat actors. Citrix ShareFile, also known as Citrix Content Collaboration, enables customers and employees to securely upload and download files. It also provides a 'Storage zones controller' solution for enterprise customers to set up their private data storage on-premise or on supported cloud platforms such as Amazon S3 and Windows Azure.

On June 13th, 2023, Citrix issued a security advisory about a new ShareFile storage zones vulnerability, CVE-2023-24489, with a critical severity score of 9.8/10. This vulnerability could enable unauthenticated attackers to compromise customer-managed storage zones. Citrix stated, "A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller."

The vulnerability was disclosed to Citrix by cybersecurity firm AssetNote. According to a technical writeup by AssetNote, the flaw is due to minor errors in ShareFile's implementation of AES encryption. AssetNote researchers stated, "Through our research we were able to achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug." Exploiting this flaw, a threat actor could upload a web shell to a device to gain full access to the storage and all its files.

CISA warns that these types of vulnerabilities are commonly exploited by threat actors and pose a significant risk to federal enterprises. Managed file transfer (MFT) solutions vulnerabilities are of particular concern, as they have been heavily exploited by threat actors to steal data from companies in extortion attacks. The Clop ransomware operation has been particularly active in exploiting these types of vulnerabilities for widescale data theft attacks since 2021.

AssetNote's technical writeup provided enough information for threat actors to develop exploits for the Citrix ShareFile CVE-2023-24489 flaw. Other researchers subsequently released their own exploits on GitHub. On July 26th, GreyNoise started monitoring attempts to exploit the vulnerability. GreyNoise noted, "GreyNoise observed a significant spike in attacker activity the day CISA added CVE-2023-24489 to their Known Exploited Vulnerabilities Catalog." GreyNoise has observed attempts to exploit or check if a ShareFile server is vulnerable from 72 IP addresses, primarily from South Korea, with others in Finland, the United Kingdom, and the United States.

While no known exploitation or data theft has been linked to this flaw yet, CISA now requires Federal Civilian Executive Branch (FCEB) agencies to apply patches for this bug by September 6th, 2023. However, due to the high risk associated with these vulnerabilities, it is strongly recommended that all organizations apply the updates as soon as possible.

Related News

• Critical RCE Flaw in Citrix ShareFile Under Attack
• First Exploitation of Citrix ShareFile RCE Vulnerability Detected

Latest News

• Ivanti Addresses Critical Flaws in Avalanche Enterprise MDM Solution
• Critical OpenNMS Vulnerability Allows Data Theft and Triggers Denial of Service
• Massive Hacking Campaign Targets Nearly 2,000 Citrix NetScaler Servers
• Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices
• Critical Security Flaw in PostgreSQL Database System: CVE-2023-39417