Advisory 35

Impact: High

TLP Rating: Clear

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provides the following advisory.

On the 16th of August 2023, CERT Vanuatu received an advisory from its collaborating partner, Cybersecurity Infrastructure Security Agency (CISA) of a vulnerability in Citrix systems.

What is it?

CVE-2023-24489 is a cryptographic bug in citrix ShareFile’s Storage Zone Controller, a .NET web application under IIS. This vulnerability allows unauthenticated   attackers to upload arbitrary files, leading to remote code execution (RCE). The vulnerability has been assigned a CVSS score of 9.8 indicating it is critical severity.

Technical Details – How attackers can exploit this vulnerability.

Attackers can exploit this vulnerability by taking advantage of errors in ShareFile’s handling of cryptographic operations. The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data. This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution (RCE).