Patch now! Citrix Sharefile joins the list of actively exploited file sharing software

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability to its catalog of know exploited vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by September 6, 2023 to protect their networks against this active threat. We urge everyone else to take it seriously too and preferably not to wait untill the last moment.

According to the Citrix security advisory, this vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.

Citrix customers should update to the latest version of ShareFile storage zones controller and read the instructions for upgrading. As an extra precaution Citrix has blocked all customer-managed ShareFile storage zones controllers versions prior to the latest version (5.11.24). Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as CVE-2023-24489 and has a CVSS score of 9.1 out of 10. It is a cryptographic bug in Citrix ShareFile’s Storage Zones Controller, a .NET web application running under Internet Information Services (IIS). Due to errors in how ShareFile handles cryptographic operations, attackers can generate valid padding which enables unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE).

Several Proof of Concepts (PoCs) have been made available since the vulnerability was discovered in July.

This year, the Cl0p ransomware gang has made extensive use of vulnerabilities in file transfer software. In March it emerged from dormancy to become the most active gang in the world by exploiting a zero-day vulnerability in GoAnywhere MFT. After going quiet for a few months it repeated the trick in June and July as its widespread exploitation of a MOVEit Transfer zero-day vulnerability became clear.

With Cl0p seemingly looking for exactly this kind of vulnerability, it should be a no-brainer that this needs to be patched as soon as possible.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.