CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks

Cyber Security Threat Summary:
CISA recently added a critical flaw to its known catalog of actively exploited vulnerabilities. Tracked as CVE-2023-24489, the flaw relates to an improper access control bug in Citrix ShareFile storage zones controller and can be exploited by an unauthenticated threat actor to remotely compromise the controller. In particular, the issue stems from errors in ShareFile’s handling of cryptographic operations. Although the application uses AES encryption with CBC mode and PKCS7 padding, it does not correctly validate decrypted data. As such a threat actor could exploit this issue to upload arbitrary files.

Security Officer Comments:
CVE-2023-24489 affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24 and was addressed on June 2023. Despite the flaw being patched, GreyNoise has observed several IPs attempting to exploit the vulnerability, as many as 75 unique IP addresses being recorded on August 15, 2023, alone. The development comes after researchers at cybersecurity firm Assetnote published technical details of the vulnerability and proof-of-concept (PoC) code for this flaw on July 4, 2023. With other PoCs being published online since then, we will likely see a continuation of threat actors exploiting the flaw in attacks.

Suggested Correction(s):
CISA is urging federal agencies to patch their instances as soon as possible by updating to the latest version of ShareFile storage zones controller, version 5.11.24 and later.

Link(s):
https://thehackernews.com/2023/08/cisa-adds-citrix-sharefile-flaw-to-kev.html
https://viz.greynoise.io/tag/citrix-sharefile-rce-attempt?days=30