The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed a significant security vulnerability in the Citrix ShareFile storage zones controller in its Known Exploited Vulnerabilities (KEV) catalog, following credible assessments of active exploitation in the wild.
This vulnerability, designated as CVE-2023-24489, holds a critical CVSS score of 9.8 and is characterized as an improper access control flaw. If successfully exploited, this issue could enable an unauthenticated attacker to remotely compromise vulnerable instances of the software.
The root cause lies in how ShareFile manages cryptographic operations, which allows attackers to upload arbitrary files and potentially execute remote code. Such vulnerabilities often fall within the “Initial Access” and “Execution” tactics of the MITRE ATT&CK framework, where adversaries gain entry into systems and subsequently execute malicious code.
Citrix has confirmed that this vulnerability impacts all currently supported versions of the customer-managed ShareFile storage zones controller prior to version 5.11.24. The issue was first reported by Dylan Pindur of Assetnote.
Exploitation attempts began surfacing towards the end of July 2023, with threat intelligence firm GreyNoise reporting a notable increase in these attempts. On August 15 alone, as many as 75 unique IP addresses were identified targeting this flaw. The attacking entities remain unidentified, although notable ransomware groups have historically exploited similar vulnerabilities in managed file transfer solutions.
GreyNoise’s analysis indicates that CVE-2023-24489 stems from a cryptographic issue in Citrix ShareFile’s Storage Zones Controller, a .NET application that utilizes AES encryption with CBC mode and PKCS7 padding. A failure to validate decrypted data properly enables the generation of valid padding by attackers, leading to unauthorized file uploads and potential execution of malicious code.
In response to this situation, federal agencies have been ordered to implement vendor-provided patches to address this vulnerability by September 6, 2023. This urgency reflects broader concerns around active exploitations of another significant vulnerability, CVE-2023-3519, associated with Citrix’s NetScaler product.
Update
Citrix has reported that a fix for CVE-2023-24489 was made available on May 11, 2023, with version 5.11.24 released before the advisory on June 13, 2023. The company stated that proactive patching measures led to over 83% of affected customers securing their environments prior to public disclosure. Unpatched Storage Zones Controller hosts were blocked from accessing the ShareFile cloud control plane, limiting potential exposure.
Citrix further emphasized that less than 3% of their customer base was affected, with no data breaches reported and a subsequent decline in attack attempts.
(This article has been updated to include Citrix’s response and to clarify that the issue was addressed in May 2023.)
