Hacking

Experts warn attackers started exploiting Citrix ShareFile RCE flaw CVE-2023-24489

Researchers warn that threat actors started exploiting Citrix ShareFile RCE vulnerability CVE-2023-24489 in the wild.

Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE) tracked as CVE-2023-24489 (CVSS score of 9.1).

The flaw impacts the customer-managed ShareFile storage zones controller, an unauthenticated, remote attacker can trigger the flaw to compromise the controller by uploading arbitrary file or executing arbitrary code.

Citrix addressed the vulnerability in June 2023 with the release of version 5.11.24.

“A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.” the company said in an advisory. “This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.”

Researchers from threat intelligence firm Greynoise warn of the first attempts to exploit the vulnerability in Citrix ShareFile.

“Attackers can exploit this vulnerability by taking advantage of errors in ShareFile’s handling of cryptographic operations. The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data.” states Greynoise. “This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution.”

“As of the publishing timestamp of this post, GreyNoise has observed IPs attempting to exploit this vulnerability. Two have never seen GreyNoise before this activity” adds GreyNoise.

Researchers at the cybersecurity firm Assetnote published technical details of the vulnerability and published proof-of-concept (PoC) code for this flaw.

“A search online shows roughly 1000-6000 instances are internet accessible. This popularity, combined with the software being used to store sensitive data, meant if we found anything it could have quite an impact.” reads the analysis published by Assetnote.

Other PoC exploits have been published online, for this reason, experts warn that the number of attacks exploiting this issue will rapidly increase in the forthcoming days.

“we saw how a few small errors in ShareFile lead to an unauthenticated file upload and then remote code execution. Although the particular endpoint is not enabled in all configurations, it has been common amongst the hosts we have tested.” concludes Assetnote. “Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability.”

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix ShareFile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

The ASA flaw CVE-2014-2120 is being actively exploited in the wild

Cisco warns customers that a decade-old ASA vulnerability, tracked as CVE-2014-2120, is being actively exploited…

35 minutes ago

DMM Bitcoin halts operations six months after a $300 million cyber heist

The Japanese cryptocurrency platform DMM Bitcoin is closing its operations just six months after a…

8 hours ago

Energy industry contractor ENGlobal Corporation discloses a ransomware attack

ENGlobal Corporation disclosed a ransomware attack, discovered on November 25, disrupting operations, in a filing…

10 hours ago

Poland probes Pegasus spyware abuse under the PiS government

Poland probes Pegasus spyware abuse under the PiS government; ex-security chief Piotr Pogonowski arrested to…

13 hours ago

BootKitty Linux UEFI bootkit spotted exploiting LogoFAIL flaws

The 'Bootkitty' Linux UEFI bootkit exploits the LogoFAIL flaws (CVE-2023-40238) to target systems using vulnerable…

15 hours ago

Tor Project needs 200 WebTunnel bridges more to bypass Russia’ censorship

The Tor Project seeks help deploying 200 WebTunnel bridges by year-end to counter government censorship.…

1 day ago

This website uses cookies.