The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a vital security flaw in Citrix ShareFile storage zones controller to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic in-the-wild exploitation.
Tracked as CVE-2023-24489 (CVSS rating: 9.8), the shortcoming has been described as an improper entry management bug that, if efficiently exploited, may permit an unauthenticated attacker to compromise susceptible cases remotely.
The issue is rooted in ShareFile’s dealing with of cryptographic operations, enabling adversaries to add arbitrary information, leading to distant code execution.
“This vulnerability impacts all presently supported variations of customer-managed ShareFile storage zones controller earlier than model 5.11.24,” Citrix mentioned in an advisory launched in June. Dylan Pindur of Assetnote has been credited with discovering and reporting the difficulty.
It is value noting that the primary indicators of exploitation of the vulnerability emerged towards the tip of July 2023.
The identification of the menace actors behind the assaults is unknown, though the Cl0p ransomware gang has taken a specific curiosity in profiting from zero-days in managed file switch options similar to Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, and Progress MOVEit Switch in recent times.
Menace intelligence agency GreyNoise mentioned it noticed a big spike in exploitation makes an attempt concentrating on the flaw, with as many as 75 distinctive IP addresses recorded on August 15, 2023, alone.
“CVE-2023-24489 is a cryptographic bug in Citrix ShareFile’s Storage Zones Controller, a .NET internet software operating below IIS,” GreyNoise mentioned.
“The appliance makes use of AES encryption with CBC mode and PKCS7 padding however doesn’t appropriately validate decrypted knowledge. This oversight permits attackers to generate legitimate padding and execute their assault, resulting in unauthenticated arbitrary file add and distant code execution.”
Federal Civilian Government Department (FCEB) businesses have been mandated to use vendor-provided fixes to remediate the vulnerability by September 6, 2023.
The event comes as security alarms have been raised about energetic exploitation of CVE-2023-3519, a vital vulnerability affecting Citrix’s NetScaler product, to deploy PHP internet shells on compromised home equipment and achieve persistent entry.
Replace
Citrix instructed The Hacker Information {that a} repair for CVE-2023-24489 was launched on Could 11, 2023, with Model 5.11.24, a month earlier than the security advisory was launched on June 13, 2023.
“Buyer patching was proactively dealt with and, by June 13, over 83% of those clients had patched their environments, earlier than the incident was made public,” a spokesperson for the corporate mentioned. “Additionally, by June 13, all unpatched SZC hosts have been blocked from connecting to the ShareFile cloud management airplane, making unpatched SZC hosts unusable with ShareFile.”
It additionally emphasised that the incident affected lower than 3% of its set up base (2,800 clients), that there was no knowledge theft noticed, and that the surge in assaults has since “died down.”
(The story has been up to date after publication to incorporate a response from Citrix and to make clear that the difficulty was addressed in Could 2023.)
