CISA, vendors warn Citrix ShareFile flaw under attack

CISA added a critical Citrix ShareFile vulnerability first disclosed in June to its Known Exploited Vulnerabilities catalog Wednesday amid active exploitation that appears to be increasing.

The improper access control vulnerability, tracked as CVE-2023-24489, affects customer-managed ShareFile storage zones controller before version 5.11.24 and received a critical CVSS score of 9.8. Citrix addressed the flaw, which was discovered by researchers at cybersecurity vendor Assetnote, in a June bulletin. Citrix warned that exploitation could allow an unauthenticated attacker to remotely compromise the cloud-based managed file transfer (MFT) product and required users to upgrade to the fixed version.

Two months later, CVE-2023-24489 is being actively exploited. CISA added the flaw to its KEV catalog Wednesday, meaning the government agency observed adversary activity and enterprises should prioritize remediation.

Cybersecurity vendor GreyNoise also documented exploitation activity that increased this week.

"GreyNoise observed a significant spike in attacker activity the day CISA added CVE-2023-24489 to their Known Exploited Vulnerabilities Catalog," GreyNoise wrote in a blog post.

The blog included a graph that tracked malicious activity against the ShareFile flaw. While there was minimal activity throughout June and July, GreyNoise observed 72 IP addresses attempting to exploit CVE-2023-24489 on Aug. 15, the day before the flaw was added to the catalog. The cybersecurity vendor told TechTarget Editorial that it appears attackers are leveraging compromised infrastructure in both South Korea and the United States to the launch the observed attacks.

UPDATE 8/18: In a statement to TechTarget Editorial, Citrix said a fix for CVE-2023-24489 was released with ShareFile version 5.11.24 on May 11, and that more than 83% of customers had patched the vulnerability prior to the June disclosure. The company added that while there was a spike in threat activity following the KEV catalog addition, which amounted to 75 attacks, the activity "died down immediately given that the issue has been addressed."

"When this vulnerability was discovered, we worked with and notified impacted customers in advance of the announced CVE to update to the latest version of our software to assure the safety of their data. Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched," Citrix said in the statement. "The incident affected less than 3% of our install base (2,800 customers). There is no known data theft from this incident."

While ShareFile uses AES encryption with cipher block chaining mode and PKCS 7 padding, GreyNoise said the vulnerability can be exploited due to a design flaw where the application does not correctly validate decrypted data. Like CISA, GreyNoise urged users to apply the latest patch.

"Attackers can exploit this vulnerability by taking advantage of errors in ShareFile's handling of cryptographic operations. This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution," the blog post said.

GreyNoise also warned that proof of concept (PoC) exploits have been published for CVE-2023-24489 on GitHub, increasing the probability that attackers will leverage the flaw in future attacks. However, Assetnote researchers were the first to release the PoC in July along with a blog post that urged developers to be cautious when working with cryptographic code because "it can be easy to make subtle mistakes."

"Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability," Assetnote wrote in the blog.

ShareFile is the latest MFT product to be targeted and recent attacks show successful results for adversaries. The Clop ransomware gang has engaged in an ongoing campaign against Progress Software MoveIT Transfer customers tracing back to a zero-day attack in May. Fallout has been substantial as victims continue to emerge three months later. Prior to that, Clop operators exploited another zero-day flaw in Fortra's GoAnywhere managed file transfer product that led to prominent victims such as Rubrik and Hitachi Energy, along with healthcare organizations.