Hackers are already taking advantage of two Citrix bugs
The US Cybersecurity and Infrastructure Security Agency has warned of a vulnerability in Citrix’s ShareFile product, a cloud file storage and transfer application, listed as CVE-2023-24489.
Citrix first reported the inadequate access control issue in June and CISA recently added it to its Catalog of Known Exploited Vulnerabilities. The flaw is serious enough to earn a severity rating of 9.8 out of 10, and CISA has set a deadline of September 6 for federal agencies to patch the vulnerability.
“These types of vulnerabilities are frequent attack vectors for malicious cyberattacks and pose significant risks to the federal enterprise,” CISA said in a statement.
A second bug has also been reported in Citrix’s NetScaler product and has already led to the compromise of about 2,000 servers, according to researchers at Fox IT.
“An adversary appears to have exploited CVE-2023-3519 in an automated manner, placing web shells on vulnerable NetScalers to gain persistent access,” the folks at Fox IT said in a blog post. “The adversary can execute arbitrary commands with this web shell, even when a NetScaler is patched and/or restarted.”
In collaboration with the Dutch Vulnerability Disclosure Institute, Fox IT discovered a “large-scale exploitation campaign.”
Google’s Mandiant research team believes the culprit could be based in China.
“Mandiant cannot attribute this activity based on the evidence collected so far,” Mandiant said, “however, this type of activity is consistent with previous operations by China nexus actors based on known capabilities and actions against Citrix ADC in 2022.” .
Alarmingly, the apparent backdoor can still be exploited even after the patch is applied.
“A patched NetScaler may still contain a backdoor,” Fox-IT said. “It is recommended to perform a compromise indicator check on your NetScalers, regardless of when the patch was applied.”
The majority of infected machines are located in Europe, although there are a small number of Australian servers affected.
UPDATE, 08/21/23:
A Citrix spokesperson reached out to Cyber Security Connection regarding CVE-2023-24489, informing us of the following:
“When this vulnerability was discovered, we worked with and notified affected customers prior to the CVE announcement to update them to the latest version of our software to ensure the security of their data,” Citrix told us. “Our control plane is no longer connected to any unpatched ShareFile StorageZones Controllers (SZCs).”
The company has also confirmed that no data has been lost in connection with this error. It also affected less than three percent of the entire installed base.