The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that a critical vulnerability in Citrix ShareFile is being targeted by unknown actors, and has added the flaw to its catalog of known security flaws exploited in the wild, tracked as CVE-2023-24489.
Citrix ShareFile (also known as Citrix Content Collaboration) is a managed file transfer SaaS cloud storage solution that allows customers and employees to upload and download files securely. CISA's alert went out August 16th.
On June 13th, Citrix released a security advisory on a new ShareFile storage zones vulnerability tracked as CVE-2023-24489 with a critical severity score of 9.8/10, which could allow unauthenticated attackers to compromise customer-managed storage zones.
From the advisory: "A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller."
Cybersecurity vendor experts offered their commentary on the advisory.
Dave Randleman, Field CISO at Coalfire:
"When exploited, this vulnerability lets attackers bypass authentication systems, allowing the attacker to remotely compromise ShareFile's 'zone controller.'
These zone controllers extend the ShareFile Software as a Service (SaaS) cloud storage by providing your ShareFile account with private data storage. ShareFile's private, customer-managed storage is often used to store encryption keys, which makes this vulnerability increasingly concerning, as attackers would be able to pivot into decryption of sensitive data.
Security teams need to rapidly access if they're utilizing ShareFile zone controller, outside side ShareFile of cloud environments. This vulnerability only affects customer-managed zone controllers. Teams utilizing ShareFile through Citrix's cloud platform are unaffected.
A new version of the zone controller is already available that fixes this potential exploit. Security teams should assess their ShareFile versions to make sure they're at least using a version newer than 5.11.24."
Travis Smith, Vice President, Threat Research Unit, at Qualys:
"This is an interesting vulnerability, a highly prevalent software with deployment globally In the private sector and in government agencies. Security teams should be concerned that this vulnerability could be exploited to deploy ransomware or exfiltrate data. This is very similar to the MOVEit vulnerability that resulted in multiple data breaches. The Qualys Threat Research Unit is closely monitoring the threat landscape to see if this is weaponized."
John Gallagher, Vice President, Viakoo Labs, at Viakoo:
"Organizations need to patch, however, the question is how long will threat actors have to exploit this vulnerability. Many organizations lack an inventory of their devices and applications, specifically around what versions they have. The ideal situation would be to have full visibility down to the firmware version number, combined with automated patching, and in the future, with SBOMs tied to each application. "
CISA's alert concludes: "CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria."
UPDATE on August 18:
A Citrix representative contacted SecureWorld News to provide the following clarification on behalf of David Le Strat, SVP of Product and Technology for ShareFile:
"We take security very seriously and protecting our customers' data is a cornerstone of our products. Please see our Security Update for the most up-to-date information.
We have seen some inaccuracies in reporting of the news, and want to ensure that the most up-to-date and accurate information is shared with regard to this vulnerability, and ShareFile's approach to assuring the safety of customers' data. Please see below a timeline of ShareFile's response to this incident and accurate figures in regard to the impact on customers.
Timeline:
- A fix for CVE-2023-24489 was released on May 11, 2023, with Version 5.11.24 (one month before the security bulletin was issued).
- Customer patching was proactively handled and, by June 13, over 83% of these customers had patched their environments, before the incident was made public. Also, by June 13, all unpatched SZC hosts were blocked from connecting to the ShareFile cloud control plane, making unpatched SZC hosts unusable with ShareFile.
- On Aug. 16, CISA added the CVE to their known exploited vulnerability catalog; while there was a spike to 75 attacks following this, this died down immediately given that the issue has been addressed.
Impact of Incident:
- When this vulnerability was discovered, we worked with and notified impacted customers in advance of the announced CVE to update to the latest version of our software to assure the safety of their data. Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched.
- The incident affected less than 3% of our install base (2,800 customers)
- There is no known data theft from this incident."
