Report DIVD-2020-00007 - Citrix ShareFile

Report DIVD-2020-00007 - Citrix ShareFile

Written on 01 Jul 2021 by Jeroen van de Weerd

Case lead: Lennaert Oudshoorn
Researchers: Lennaert Oudshoorn
Case file: DIVD-2020-00007

On May 5, 2020, Citrix released a security advisory for the Citrix ShareFile product. (https://support.citrix.com/article/CTX269106) The three vulnerabilities listed here allow an attacker to potentially compromise the storage zone controller and gain access to sensitive ShareFile documents and folders. The newly found vulnerabilities apply to Citrix ShareFile storage zone controllers that are on-premises and self-managed. The vulnerabilities have been assigned the following CVE numbers.

The vulnerabilities are found in the following versions:

Citrix ShareFile is an enterprise file sharing solution that allows employees to securely exchange company-owned and sensitive corporate data with each other. You can also use the software to lock or completely erase potentially compromised mobile devices.

There is a mitigation available from Citrix, as just updating ShareFile to a non vulnerable version does not fix the vulnerability in previously created storage zones. To resolve this, Citrix has released another mitigation tool. Instructions on how to fix the vulnerabilities are in the Citrix article, however, a login is required here. https://support.citrix.com/article/CTX269341

There is a way to check for yourself if your system is vulnerable. See: https://github.com/DimitriNL/CTX-CVE-2020-7473 for more information, with special thanks to @DimitriNL

On May 22, 2020, DIVD CSIRT researchers searched for ShareFile servers in the Netherlands via Shodan. A total of 27 organizations were found. On June 23, 2020, researchers contacted 20 organizations by mail. 7 organizations already fixed the vulnerability. After that the case was closed.

More information.