Elite CIO Logo

BECOME MEMBER
Back

Multiple Info Disclosure vulnerabilities in Citrix ShareFile - CERT-In Advisory CIAD-2020-0029

  • By Elite CIO
  • Date May 11, 2020
  • Quotes11

Multiple Info Disclosure vulnerabilities in Citrix ShareFile - CERT-In Advisory CIAD-2020-0029

Source : www.cert-in.org.in

Original Issue Date:May 05, 2020

Severity Rating :High

Systems Affected

Customer-managed storage zones created using the followingversions

ShareFile Storage Zones Controller 5.9.0 versions prior to5.9.1

ShareFile Storage Zones Controller 5.8.0 versions prior to5.8.1

ShareFile Storage Zones Controller 5.7.0 versions prior to5.7.1

ShareFile StorageZones Controller 5.6.0 versions prior to5.6.1

ShareFile StorageZones Controller 5.5.0 versions prior to5.5.1

All earlier versions of ShareFile StorageZones Controller

Storage zones created using a vulnerable version of thestorage zones controller are at risk even if the storage zones controller hasbeen subsequently updated.

Overview

Multiple vulnerabilities have been reported incustomer-managed Citrix ShareFile Storage Zones Controller. An attacker couldexploit the vulnerabilities to access ShareFile users' documents and folders.

Description

Citrix ShareFile is an enterprise-level file sharingsolution for businesses using which employees can securely exchange proprietaryand sensitive business data with each other. The software offers an on-premisesecure cloud environment for data storage with auditing capabilities andregulatory compliance controls.

Multiple vulnerabilities have been reported incustomer-managed Citrix ShareFile Storage Zones Controller, which would allowan unauthenticated attacker to compromise the storage zones controllerpotentially giving the attacker the ability to access ShareFile users'documents and folders.

Note: Customers with Citrix-managed storage zones are not affected bythese vulnerabilities.

Solution

Upgrade to latest versions released by Citrix:

https://support.citrix.com/article/CTX269341

Merely upgrading to a patched version does not protect astorage area created with a vulnerable Storage Zone Controller. Citrix hasseparately released a mitigation tool that must be used on primary Storagezones controller first and then on any secondary controllers. This tool shouldbe used with due care, as no backtracking should be done at the risk of losingthe storage area.

Vendor Information

https://support.citrix.com/article/CTX269106

https://support.citrix.com/article/CTX269341

https://www.citrix.com/support/open-a-support-case.html

References

https://support.citrix.com/article/CTX269341

https://www.citrix.com/support/open-a-support-case.html

https://thehackernews.com/2020/05/citrix-sharefile-vulnerability.html

CVE Name

CVE-2020-7473

CVE-2020-8982

CVE-2020-8983

Disclaimer

The information provided herein is on "asis" basis, without warranty of any kind.