Security news that informs and inspires

Threat Actors Exploit Known Citrix ShareFile Flaw


UPDATE -- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical-severity Citrix bug to its known exploited vulnerabilities catalog and is “strongly urging” organizations to prioritize the patch for the flaw after discovering evidence of exploitation.

The vulnerability (CVE-2023-24489) exists in the Citrix file sharing and transfer application, ShareFile, and if exploited allows unauthenticated attackers to remotely compromise the customer-managed ShareFile storage zone controller. According to the ShareFile website, the storage zone controller is used to host private ShareFile storage subsystems for user data, and includes a web service that handles all HTTPS operations from end users and the ShareFile control subsystem.

The flaw impacts all currently supported versions of the storage zones controller prior to version 5.11.24. Citrix on May 11 released a fix in version 5.11.24 (which, as of Aug. 17, is the latest version). According to a Citrix spokesperson, over 83 percent of customers had patched their environments by June 13.

"Also, by June 13, all unpatched SZC hosts were blocked from connecting to the ShareFile cloud control plane, making unpatched SZC hosts unusable with ShareFile," according to David Le Strat, SVP Product & Technology for ShareFile. "On Aug. 16, CISA added the CVE to their known exploited vulnerability catalog; while there was a spike to 75 attacks following this, this died down immediately given that the issue has been addressed."

Le Strat said the incident impacted less than 3 percent of the install base, or around 2,800 customers. The flaw stems from improper resource controls within the storage zone controller; an attacker must have network access to the ShareFile storage zones controller to successfully exploit the flaw, according to Citrix.

“Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability.”

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” according to CISA’s Wednesday advisory. “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.”

Researchers with Assetnote, which found that flaw, said that a search online shows between roughly 1,000 to 6,000 instances are internet accessible.

“Although the particular endpoint is not enabled in all configurations, it has been common amongst the hosts we have tested,” said Dylan Pindur, security researcher with Assetnote, in a July analysis. “Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability.”

While CISA did not give further details on the threat activity related to the Citrix ShareFile bug, researchers with GreyNoise on Wednesday said that they have observed “a huge spike” in exploit activity related to the flaw and warned organizations to patch as soon as possible.

Citrix has been dealing with another exploited vulnerability recently: A remote code execution flaw (CVE-2023-3519) in the NetScaler ADC and Gateway products that has been targeted by at least three different threat actors. Mandiant this week released a tool to help organizations detect appliances vulnerable to this bug that have been potentially compromised.

This article was updated on Aug. 22 with further clarifications on the patch dates and impact of the flaw from Citrix.