CISA added CVE-2023-24489 to the Known Exploited Vulnerabilities Catalog in August 2023. CVE-2023-24489 is an access control vulnerability impacting the use of Citrix ShareFile StorageZones Controller version 5.11.24 and below.
Citrix ShareFile is a real-time collaboration platform. While ShareFile primarily offers a cloud-based file-sharing application, there are some features that accommodate data storage through the use of a storage zone controller. Citrix Systems, Inc. stated in their security advisory that only the customer-managed extension with private storage is vulnerable to the exploitation at this time, and they prompt all users of this tool to upgrade to the latest version. ShareFile is also known as Citrix Content Collaboration.
What is CVE-2023-24489?
Citrix ShareFile is currently vulnerable to an improper access control vulnerability known as CVE-2023-24489 in the National Vulnerability Database (NVD). This vulnerability was originally reported by AssetNote's proof of concept attack, which illustrates how an unauthenticated attacker can exploit a cryptographic bug. Improper access control means that attackers can gain access into your system without authentication or authorization. In this case, remote attackers can achieve remote code execution (RCE) due to issues in ShareFile's cryptographic operations. The decryption process is not validated properly, which enables attackers to generate a payload that the system will accept as valid.
For impacted versions of customer-managed ShareFile storage zones controller, malicious attackers can compromise the system by uploading a webshell that would enable them to gain access to sensitive information held in private data storage. Attackers could then conduct additional arbitrary file transfer or file upload, such as accessing personal identifiers and other data. Further information on improper access control is available in MITRE's documentation on Common Weakness Enumeration (CWE) types.
This CVE has a critical severity base score of 9.8 in the Common Vulnerability Scoring System (CVSS). A critical CVSS score indicates the impact potential that an unauthenticated attacker could have on your system. If actively exploited, which we know is the case for CVE-2023-24489 as a known exploited vulnerability, then the potential impact on your system could be immense. Threat actors have targeted similar products, such as the attacks on Accellion, MOVEit Transfer, and GoAnywhere.
Remote attackers can exploit CVE-2023-24489 through padding exceptions in the decryption process. Dylan Pindur identified how the decryption process in ShareFile's .NET encryption allows attackers to exploit the Cipher Block Chaining (CBC) in the default .NET AES encryption. CBC encryption, however, is considered outdated due to these decryption issues that permit padding-oracle attacks. Exploitations of CVE-2023-24489 use this approach to generate a payload that the system will perceive as legitimate even if it comes from an unauthenticated remote attacker.
To ensure that your system remains secure, you may wish to deploy improved encryption algorithms, such as the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM). The National Institute of Standards and Technology (NIST) Special Publication 800-38D recommends AES-GCM for its improvements to authentication and validation. While GCM remains a block cipher approach, this algorithm incorporates authenticated encryption and authenticated decryption functions that require a verification tag. CBC, in contrast, encrypts and decrypts data as a single unit without the authentication tag.
CVE-2023-24489 follows two previous critical vulnerabilities that impacted the Citrix ShareFile storage zones controller in 2021. Like the current vulnerability, CVE-2021-22941 allowed unauthenticated remote compromise due to improper access control to the controller. Threat actors were able to achieve path traversal and remote code execution for any versions before 5.11.20. As a result, a known threat actor was able to compromise a Microsoft Internet Information Services (IIS) server. Similarly, CVE-2023-22891 permitted access to attackers due to a missing authorization check.
Scripts that illustrate the proof-of-concept attack for educational purposes have since been made available on GitHub. While these scripts are provided for informational purposes, malicious actors could make use of them for non-educational purposes.
Therefore, it is crucial that you remain vigilant about how your external attack surface may be vulnerable to compromise.
How UpGuard Can Help
UpGuard's passive scanning techniques evaluate when Citrix products are in use among your public-facing assets. When UpGuard identifies ShareFile in your toolchain, you will be notified with an informational risk that Citrix ShareFile has been detected.
If you use the ShareFile StorageZones Controller, you can determine your cybersecurity attack surface by evaluating which version you use. For customer-managed controllers with private data storage, any ShareFile version 5.11.24 and below is vulnerable. This vulnerability does not appear to impact Citrix's offerings for storage zones managed in the cloud at this time.
If you or a vendor are using Citrix technologies, you should determine whether ShareFile has been updated to a secure version. You can send a remediation request within UpGuard, which will enable the technology owner to assert the current version of the product.
How to Mitigate Impacts from Citrix ShareFile CVE-2023-24489
If your systems have been impacted by malicious actors, you should work with your security team on an immediate incident response plan that includes quarantining compromised systems and following recommended security practices. If your system uses any of the impacted versions but has not been exploited by threat actors, you should also follow the mitigation recommendations to prevent the ShareFile RCE.
Upgrade your Citrix ShareFile Storage Zones Controller
Citrix has issued a security update for ShareFile storage zones controller, urging immediate action for any use of a customer-managed controller for version 5.11.24 or below. They recommend backing up your server and configuration setup before shutting down machines running affected versions.
You can then upgrade to a fixed version provided by Citrix and follow the installation and launch process they provide.
For additional guidance on Citrix security bulletins, visit support.citrix.com and continue reading for recommendations on how to mitigate potential impact resulting from these vulnerabilities.