The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that a Citrix flaw patched in May is being actively exploited in the wild.
CVE-2023-24489 was added to the agency’s Known Exploited Vulnerabilities Catalog yesterday, with CISA warning it poses “significant risks to the federal enterprise.”
The flaw is described as an improper access control vulnerability in Citrix ShareFile (aka Citrix Content Collaboration). If exploited, it “could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller,” CISA said.
Citrix released an advisory on the critical severity bug, which has a CVSS score of 9.1, on June 13. However, the vulnerability was patched in May by ShareFile. The company contacted Infosecurity to confirm that, by May 11, over 83% of customers had patched their environments, before the incident was made public. It claimed the incident affected less than 3% of its install base.
"When this vulnerability was discovered, we worked with and notified impacted customers in advance of the announced CVE to update to the latest version of our software to assure the safety of their data," it added. "Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched."
Read more on flaws in file sharing software: Clop Ransom Gang Breaches Big Names Via MOVEit Flaw
Citrix Content Collaboration is software that allows enterprise file sync and sharing. Its storage zones controller feature enables users to extend these file sharing capabilities to private data storage in order to meet regulatory requirements.
“The storage zones that you maintain can reside in your on-premises single-tenant storage system or in supported third-party cloud storage. This includes Amazon S3 and Windows Azure,” Citrix explains.
“Storage zones controller also provides users with secure access to SharePoint sites and network file shares through storage zone connectors. Storage zone connectors enable you to provide secure mobile access to data residing behind your corporate firewall without the need to migrate data to the cloud.”
File sharing services have become a popular target for ransomware groups over recent years, with the Clop group in particular exploiting zero-day vulnerabilities in MOVEit, and earlier in Accellion and GoAnywhere products, to devastating effect.
That’s why CISA demands all federal civilian agencies patch the vulnerability by September 6. Private enterprises are encouraged to follow suit.