Don't miss our Quarterly Roadmap Showcase, Thursday, October 24
CVE-2023-24489 is a critical vulnerability discovered in the customer-managed ShareFile storage zones controller, a product of Citrix Systems, Inc. If exploited, this vulnerability could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. The vulnerability impacts Citrix ShareFile StorageZones Controller version 5.11.24 and below, which offers cloud file sharing services. The vulnerability arises from improper access control that enables attackers to access systems without authentication.
The vulnerability was discovered by researchers at cybersecurity vendor Assetnote. The core weakness is a cryptographic bug that allows for unauthenticated arbitrary file upload and full remote code execution. Assetnote researchers found the weakness to be common amongst the hosts they tested, and given the number of instances online and the reliability of the exploit, a significant impact from this vulnerability was observed.
The vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog in August 2023, amid active exploitation that appeared to be increasing. GreyNoise documented exploitation activity that increased significantly the day CISA added CVE-2023-24489 to KEV, and Fox-IT worked with the Dutch Institute of Vulnerability Disclosure to help mitigate a mass-exploitation campaign that resulted in approximately 2,000 backdoored Citrix NetScalers.
Proof of concept (PoC) exploits have been published for CVE-2023-24489 on GitHub, increasing the probability that attackers will leverage the flaw in future attacks.
Despite the release of a fix for this vulnerability on May 11 — and more than 83% of Citrix customers having patched the vulnerability before the June disclosure — there was a spike in threat activity following the KEV catalog addition.
Despite the initial response and patching efforts, defenders should remain vigilant and keep an even closer watch on notices of new vulnerabilities in these and other Citrix systems. This is not the first critical vulnerability that has impacted the Citrix ShareFile storage zones controller. Previous vulnerabilities, such as CVE-2021-22941, also allowed unauthenticated remote compromise due to improper access control to the controller, and these systems are prime targets for attackers whenever new weaknesses arise.
