Just in Time Bulletin: CVE-2023-24489 Citrix ShareFile RCE
What is CVE-2023-24489?
Citrix ShareFile is a cloud based platform that facilitates the secure sharing of large files. In conventional deployments the service is used purely as a cloud service, however clients can elect to manage an on-premise deployment referred to as ShareFile Storage Zone Controller. Researchers determined that ShareFile Storage Zone Controller deployments were prone to an unauthenticated path-traversal vulnerability that could be exploited to upload a web shell to the vulnerable instance. The Storage Zone Controller is based on a .NET core running on IIS, supported largely by *.aspx scripts.
An analysis of the files deployed to the web server indicated that some of the scripts were accessible to unauthenticated threat actors, which included an upload.aspx script. Diving deeper into the decompiled code revealed that authentication checks within the script failed to account for an empty session identifier (not the same as NULL). This trivial security bypass enables the program flow to proceed to a secondary security check that attempts to decrypt a “parentId” passed to the upload.aspx script. The decryption of this value is the only defense against uploading an arbitrary file to the remote system. Moving along the execution flow we arrive at the ProcessRawPostedFile function. This prepares the submitted query parameters by concatenating the provided filename and path values without first performing validation on the path. This introduces the potential for path-traversal attacks.
By combining these elements, researchers determined that it was possible to craft an AES encrypted payload that could be injected into the “parentId” value. This resulted in the successful decryption of the “parentId” value. The resulting decrypted value was entirely random binary garbage, but it passed the only defensive check – a non-empty decrypted string. Based on the logic of the script this was the only qualifier required to successfully upload an *.aspx web-shell to a location within the webroot.
How bad is this?
Active exploitation in the wild today.
- Credentials are NOT required
- Exploited in the wild
- Low level of complexity
How is it exploited?
Exploitation is trivial and exploit code is publicly available. This is a pretty serious issue and should be addressed ASAP. To minimize mass exploitation, Citrix has blocked all on-prem instances until the patch is applied. It’s a disruptive short term solution, but it is effective.
How do I protect myself?
Patch now if you’re operating an on-prem ShareFile instance. Citrix has released a cumulative security patch to address CVE-2023-24489.
Customers using Citrix ShareFile cloud are not affected. This vulnerability only impacts on-premise deployments of ShareFile. Vulnerable endpoints are likely not exposed to the Internet, which should reduce the risk of mass exploitation. Citrix has also disabled all customer-managed ShareFile storage zones controller versions prior to the latest version 5.11.24 in an effort to protect customers. Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.
Additional Resources About CVE-2023-24489