TLP Rating: Clear
CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provides the following advisory.
On the 16th of August 2023, CERT Vanuatu received an advisory from its collaborating partner, Cybersecurity Infrastructure Security Agency (CISA) of a vulnerability in Citrix systems.
What is it?
CVE-2023-24489 is a cryptographic bug in citrix ShareFile’s Storage Zone Controller, a .NET web application under IIS. This vulnerability allows unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE). The vulnerability has been assigned a CVSS score of 9.8 indicating it is critical severity.
Technical Details – How attackers can exploit this vulnerability.
Attackers can exploit this vulnerability by taking advantage of errors in ShareFile’s handling of cryptographic operations. The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data. This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution (RCE).
Mitigation Process / How do I Stay Safe?
Additionally, CERTVU recommend organizations apply the following best practices to reduce risk of compromise:
All customer-managed ShareFile storage controllers versions prior to the latest 5.11.24 has been blocked to protect our customers. Customers will be able to reinstate the storage zone controller once the update 5.11.24 is applied.