Critical RCE Flaw in Citrix ShareFile Under Attack

July 31, 2023

Cybersecurity experts have raised an alarm, warning that a critical remote code execution (RCE) flaw in Citrix ShareFile, a popular cloud-based file-sharing application, has come under attack. This vulnerability, designated as CVE-2023-24489, affects the customer-managed ShareFile storage zones controller, and holds a high CVSS score of 9.1, indicating its severity.

An unauthenticated, remote attacker can exploit this flaw to compromise the controller by uploading an arbitrary file or executing arbitrary code. Citrix had previously addressed this vulnerability in June 2023 with the release of version 5.11.24. In an advisory, the company stated, “A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.”

However, threat intelligence firm Greynoise has recently warned of the first attempts to exploit the vulnerability in Citrix ShareFile. According to Greynoise, “Attackers can exploit this vulnerability by taking advantage of errors in ShareFile’s handling of cryptographic operations. The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data. This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution.”

Moreover, Greynoise has observed IPs attempting to exploit this vulnerability, some of which were previously unknown to the firm. The cybersecurity firm Assetnote also published technical details of the vulnerability, along with proof-of-concept (PoC) code for this flaw. Assetnote found that between 1000-6000 instances of ShareFile are internet accessible, making the software a prime target for attackers.

Given the software's popularity and its use for storing sensitive data, the impact of potential attacks could be significant. Other PoC exploits have been published online, leading experts to warn that the number of attacks exploiting this issue will likely increase rapidly. Assetnote concluded by saying, “Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability.”

Related News

• First Exploitation of Citrix ShareFile RCE Vulnerability Detected

Latest News

• CISA Investigates Malware Deployed in Barracuda ESG Attacks
• Active Exploitation of New Vulnerability in Ivanti Endpoint Manager Mobile
• Exploiting the MobileIron Zero-Day Bug: Researcher Reveals a Proof-of-Concept
• CISA Discovers New Submarine Malware in Hacked Barracuda ESG Appliances
• Ivanti Addresses New Zero-Day Exploit Used in Norwegian Government Attacks