The U.S. Cybersecurity and Infrastructure Security Agency has determined that hackers are actively launching cyberattacks against deployments of Citrix Systems Inc.’s ShareFile platform.

According to CISA officials, the cyberattacks are exploiting a ShareFile vulnerability tracked as CVE-2023-24489 that was publicly detailed last month. The agency on Wednesday added the vulnerability to its KEV database of actively exploited security flaws. Additionally, CISA has instructed civilian federal agencies in the executive branch to patch their ShareFile deployments.

ShareFile is a file sharing platform that organizations use to store internal records. It became part of Citrix’s product portfolio through a 2011 startup acquisition. It’s used by more than 2,000 organizations worldwide, including multiple government agencies.

The platform allows customers to store data in a Citrix-managed cloud environment or on their own infrastructure. According to Citrix, CVE-2023-24489 only affects unpatched deployments that use the latter configuration. As a result, organizations running ShareFile on Citrix’s cloud infrastructure are not affected.

The exploit is classified as critical, the highest severity rating a vulnerability can receive under the widely used CVE exploit ranking system. The vulnerability has received a severity score of 9.1 out of a maximum 10.

It allows hackers to sign into a company’s ShareFile deployment without entering any login credentials. From there, they can use their access to upload a malicious script known as a web shell. Such scripts are used in cyberattacks to steal data and lay the groundwork for future hacking campaigns. 

CVE-2023-24489 was discovered earlier this year by Dylan Pindur, a researcher at Australian cybersecurity provider Assetnote Pty Ltd. Citrix released a patch for the vulnerability on May 11 and says it “proactively” worked with customers to update their deployments. The software maker estimates that more than 83% of the organizations using ShareFile had updated their deployments by June 13, the date CVE-2023-24489 was publicly disclosed.

In a blog post released after the public disclosure, Assetnote detailed how the vulnerability works. It affects a ShareFile feature called the Storage Zones Controller, which allows companies to run the file sharing platform on their own infrastructure. CVE-2023-24489 was found in a component of Storage Zones Controller known as documentum/upload.aspx that enables users to upload new files.

According to Assetnote, CVE-2023-24489 takes advantage of the fact that documentum/upload.aspx incorrectly implemented a programming best practice known as sanitization.

When an application has a feature that allows users to upload data, there is a risk hackers will use the feature to submit malicious code. As a result, applications usually include a mechanism that filters malicious data submissions. This practice is known as sanitization. 

Assetnote found that a certain code snippet in documentum/upload.aspx, the vulnerable ShareFile component, failed to perform sanitization. As a result, hackers can use it to upload malicious data to the platform.

Before hackers can exploit documentum/upload.aspx, they have to bypass an encryption-based security mechanism embedded into ShareFile. This mechanism only allows files to be uploaded if the user provides an encrypted message that functions as a kind of password.

During its research, Assetnote found a flaw in the mechanism. The company determined that hackers don’t need to possess the encrypted message ShareFile requires to permit data uploads. Instead, they only have to obtain the so-called padding data associated with the encrypted message, which can be guessed in up to 256 attempts.

Padding is data that certain encryption algorithms add to a file before scrambling it. One of the algorithms that implement this approach is AES, which is used by ShareFile for certain cybersecurity tasks.

“On its own, encryption does not provide authentication, nor does it protect a message against tampering,” Assetnote explained in the blog post. 

The company estimates that there are 1,000 to 6,000 ShareFile deployments accessible through the open web. According to a statement released by Citrix on Friday, CVE-2023-24489 affected less than 3% of the approximately 2,800 organizations that use ShareFile. The company added that there are no known cases of hackers using the vulnerability to steal data.

Photo: Citrix