The US Cyber Security and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zone controllers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of an active in-the-wild exploit.
Tracked as CVE-2023-24489 (CVSS score: 9.8), the flaw is described as an unintended access control bug that, if successfully exploited, would allow an unauthenticated attacker to gain remote access to vulnerable instances.
The problem lies in ShareFile’s handling of cryptographic operations, which enables adversaries to upload arbitrary files, resulting in remote code execution.
“This vulnerability affects all currently supported versions of customer-managed ShareFile storage zone controllers prior to version 5.11.24,” Citrix said in an advisory issued in June. Dylan Pindur of Assetnote is credited with discovering and reporting the issue.
It is worth noting that the first signs of exploiting the vulnerability appeared at the end of July 2023.
The identities of the threat actors behind the attacks are unknown, however the CL0P ransomware gang has taken a particular interest in exploiting zero-days in managed file transfer solutions such as Excellion FTA, SolarWinds Serv-U, GoAnywhere MFT and Progress MOVEit transfer in recent years.
Threat intelligence firm GreyNoise said it has seen a significant increase in exploit attempts targeting the flaw, with 75 unique IP addresses recorded on August 15, 2023 alone.
“CVE-2023-24489 is a cryptographic bug in Citrix ShareFile’s storage zone controller, a .NET web application running under IIS,” said GreyNoise.
“The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data. This oversight allows attackers to generate valid padding and execute their attack, allowing unauthenticated arbitrary file Upload and remote code execution occurs.”
Federal Civilian Executive Branch (FCEB) agencies have been mandated to implement vendor-provided fixes to address the vulnerability by September 6, 2023.
This development comes as a security alarm has been raised about an active exploit of CVE-2023-3519, a critical vulnerability affecting Citrix’s NetScaler product, allowing PHP web shell to be deployed on compromised devices and To get continuous access.
