CVE-2020-7473, CVE-2020-8982, CVE-2020-8983
Identified as CVE-2020-7473, CVE-2020-8982, and CVE-2020-8983, the vulnerabilities could allow an unauthenticated attacker to compromise the storage zones controller, enabling the attacker to access ShareFile users’ documents and folders.
Citrix ShareFile is an enterprise-level file sharing solution for businesses which enables employees to securely exchange sensitive business data. The vulnerabilities affect customer-managed on-premise Citrix ShareFile storage zone controllers, which stores corporate data.
According to the official Citrix security advisory, customer-managed storage zones created using the following versions of the storage zones controller are affected:
ShareFile storage zones Controller 5.9.0
ShareFile storage zones Controller 5.8.0
ShareFile storage zones Controller 5.7.0
ShareFile StorageZones Controller 5.6.0
ShareFile StorageZones Controller 5.5.0
All earlier versions of ShareFile StorageZones Controller
It should also be noted that storage zones created via a vulnerable version of the storage zones controller are at risk, even in case the storage zones controller has been subsequently updated.
What should Citrix customers do in light of the vulnerabilities?
According to the company’s advisory, customers with Citrix-managed storage zones don’t need to take any action. As for customers with customer-managed storage zones, they should ensure they are running on a supported version. To address the security issues, customers must run the mitigation tool as soon as possible on the storage zone controllers. Citrix has provided detailed instructions on how to do so in a separate support article which is only accessible by customers.
In January 2020, Citrix had another serious vulnerability in Citrix Gateway (NetScaler Gateway) and Citrix Application Delivery Controller (NetScaler ADC), which could expose 80,000 companies to hacks.
Working exploits against the CVE-2019-19781 flaw were reported later, which allowed attackers to perform arbitrary code execution attacks with an ease, without the need of account credentials.
Affected organizations were susceptible to criminals gaining access to their restricted networks by impersonating registered and authorized users.