Citrix ShareFile Vulnerability Exploited

THE THREAT

eSentire is aware of reports that the Citrix ShareFile StorageZones Controller vulnerability CVE-2023-24489 (CVSS: 9.8) is now under widespread exploitation by multiple threat actor groups. Organizations using Citrix ShareFile need to take immediate action to prevent abuse by threat actors.

CVE-2023-24489 is an improper resource control vulnerability. Exploitation would enable a remote and unauthenticated threat actor to achieve authenticated arbitrary file upload; this would allow for Remote Code Execution (RCE) and enable threat actors to exfiltrate sensitive data from the platform. The vulnerability was initially disclosed on June 13th, 2023, and Proof-of-Concept (PoC) exploit code has been publicly available since at least July 4th.

As exploitation of this vulnerability is now confirmed to be widespread, it is critical that organizations ensure security patches are deployed and review any potentially impacted devices for signs of compromise.

What we’re doing about it

• IP addresses associated with real-world attacks are blocked via the eSentire Global Block List
• Threat Hunts, based on IIS web access logs and known Indicators of Compromise(IOCs) , have been performed
  • Any impacted organizations will be notified through the eSentire Security Operations Center (SOC)
• The eSentire Threat Response Unit (TRU) is actively tracking this threat and reviewing publicly available Proof-of-Concept (PoC) exploit code for additional details and detection opportunities
• eSentire Managed Vulnerability Service (MVS) will add relevant plugins when they become available

What you should do about it

• After performing a business impact review, update ShareFile storage zones controller to version 5.11.24 or later
  • Alternative mitigations are not currently available
  • Organizations using ShareFile-managed storage zones in the cloud do not need to take any actions
• If patching is not possible, organizations are recommended to limit access to the impacted products

Additional information

Citrix ShareFile StorageZones Controller is a managed file transfer SaaS cloud storage solution, meant to enable the secure upload and download of sensitive files. CVE-2023-24489 impacts all versions of customer-managed ShareFile storage zones controller before version 5.11.24.

Exploitation of this vulnerability would enable a variety of malicious actions; attackers may steal sensitive data or upload malicious content, such as webshells, to enable persistent access to victim environments. CVE-2023-24489 is similar to past vulnerabilities in Managed File Transfer (MTF) solutions, such as Accellion FTA and GoAnywhere. Vulnerabilities in MTF platforms have been heavily targeted in the past to enable data theft and extortion attacks. The eSentire Threat Intelligence team assesses that it is probable threat actors will exploit CVE-2023-24489 in order to run extortion campaigns.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-24489 to the CISA Known Exploited Vulnerability catalog on August 16th. US Federal Agencies have until September 6th, 2023, to ensure all impacted devices are updated. On the same day, the cyber intelligence company GreyNoise confirmed that they identified a “significant spike” in CVE-2023-24489 exploitation attempts.

The popularity of Citrix, combined with the publicly available PoC exploit code and the history of successful exploitation of similar vulnerabilities, makes CVE-2023-24489 highly attractive to financially motived threat actor groups. Widespread exploitation is ongoing and will continue until organizations have fully remediated the vulnerability.

References:

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-24489
[2] https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489
[3] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a#:~:text=Internet%2Dfacing%20MOVEit,in%20early%202023
[4] https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-exploited-vulnerability-catalog
[5] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[6] https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability