Experts Warn Attackers Started Exploiting Citrix ShareFile RCE Flaw CVE-2023-24489

Cyber Security Threat Summary:
Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE) tracked as CVE-2023-24489 (CVSS score of 9.1). The flaw impacts the customer-managed ShareFile storage zones controller, an unauthenticated, remote attacker can trigger the flaw to compromise the controller by uploading arbitrary file or executing arbitrary code.

Citrix addressed the vulnerability in June 2023 with the release of version 5.11.24.

A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24 the company said in an advisory.

Security Officer Comments:
Researchers from Greynoise began warning of active attempts to exploit the vulnerability in Citrix ShareFile. The application uses AES encryption with CBC mode and PKCS7 padding, but does not properly validate the decrypted data. Using this flaw, threat actors are able to generate valid padding and execute an attack leading to unauthenticated arbitrary file upload and remote code execution.

GreyNoise has observed multiple IPs attempting to exploit this vulnerability. Researchers from Assetnote have published technical details and a proof of concept (PoC) for the flaw, so we expect active exploitation to increase as more threat actors weaponize this vulnerability.

Assetnote says they were able to scan the Internet and found roughly 1000-6000 instances of internet accessible Citrix ShareFile applications.

Suggested Correction(s):
Other PoC exploits have been published online, for this reason, experts warn that the number of attacks exploiting this issue will rapidly increase in the forthcoming days. Users should work to patch the issue as soon as possible.