Organizations use Citrix ShareFile, a cloud-based platform, to store and share large files. It also allows users to create branded, password-protected files through their services.
ShareFile Storage Zone enables administrators to choose between ShareFile-managed, secure cloud or IT-managed storage zones (On-Prem) within an organization’s data center.
ShareFile Storage Zone Controller is an extended ShareFile Software as a Service cloud storage that offers private data storage with a ShareFile account.
Nevertheless, ShareFile has been discovered with a critical security flaw that allows threat actors to compromise customer-managed ShareFile Storage Zone controllers remotely.
In addition, this vulnerability has been added to the list of Known Exploited vulnerabilities by the CISA (Cybersecurity and Infrastructure Security Agency).
CVE-2023-24489: Improper Resource Control
Citrix ShareFile Storage Zone Controller is a .NET application that runs under IIS and uses AES encryption with CBC (Cipher Block Chaining) mode PKCS#7 (Public-Key Cryptography Standard) padding, which has a bug in validating the decrypted data.
Hence, this unauthenticated arbitrary file upload leading to remote code execution on Citrix ShareFile Storage Zone Controller exists due to an error in handling cryptographic operations.
NVD gave the severity for this vulnerability as 9.8 (Critical), as reported to Cyber Security News by GreyNoise.
As per the research from AssetNote, this vulnerability was initially started with a Path Traversal on the parentId parameter via upload.targetPath member variable. Furthermore, the encryption and authentication were researched and found with this cryptographic bug leading to remote code execution.
In addition, a PoC(Proof-of-concept) has been published on GitHub, opening a vast space for threat actors to target this vulnerability in vulnerable instances. As per the AssetNote report, 1000-6000 ShareFile Storage Zone Controllers cases have been exposed on the internet.
Citrix has released patches for a vulnerability that affects Citrix ShareFile Content Collaboration. However, network access to the ShareFile storage zones controller is required to exploit this vulnerability.
Users of this product are recommended to upgrade to the latest version of Citrix to prevent threat actors from exploiting it.
ShareFile’s Response to the Incident
“We take security very seriously here at ShareFile. Before the CVE release, we had patched, validated, and ran extensive testing against the product to validate its safety. Protecting our customers’ data is a cornerstone of our products.”
“We worked with and notified impacted customers before the announced CVE to update to the latest version of our software to assure the safety of their data. Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched. We want to remind our customers that they should make sure that they entirely shut down any machine running an older version of the SZC software that has been disconnected from the ShareFile control plane.”