Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

2 Citrix bugs are already being taken advantage of by hackers

The US Cybersecurity and Infrastructure Security Agency has warned of a vulnerability in Citrix’s ShareFile product, a cloud storage and file transfer application, listed as CVE-2023-24489.

user icon David Hollingworth
Fri, 18 Aug 2023
2 Citrix bugs are already being taken advantage of by hackers
expand image

Citrix first reported the improper-access-control issue in June, and CISA has recently added it to its Known Exploited Vulnerabilities Catalog. The flaw is serious enough to rate 9.8 out of 10 severity rating, and CISA has set a deadline of 6 September for federal agencies to patch the exploit.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in a statement.

A second bug has also been reported in Citrix’s NetScaler product and has already led to the compromise of about 2,000 servers, according to researchers at Fox IT.

============
============

“An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScalers to gain persistent access,” Fox IT’s people said in a blog post. “The adversary can execute arbitrary commands with this web shell, even when a NetScaler is patched and/or rebooted.”

Working with the Dutch Institute of Vulnerability Disclosure, Fox IT discovered a “large-scale exploitation campaign”.

Google’s Mandiant research team believes the culprit could be China-based.

“Mandiant cannot attribute this activity based on the evidence collected thus far,” Mandiant said, “however, this type of activity is consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADCs in 2022.”

Alarmingly, the apparent backdoor can still be taken advantage of even after patching.

“A patched NetScaler can still contain a backdoor,” Fox-IT said. “It is recommended to perform an indicator-of-compromise check on your NetScalers, regardless of when the patch was applied.”

Most of the infected machines are in Europe, though there is a small number of Australian servers affected.

UPDATE, 21.08.23:

A spokesperson for Citrix reached out to Cyber Security Connect regarding CVE-2023-24489, informing us of the following:

"When this vulnerability was discovered, we worked with and notified impacted customers in advance of the announced CVE to update to the latest version of our software to assure the safety of their data," Citrix has told us. "Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched."

The company has also confirmed that no data has been lost in relation to this bug. It also affected less than three per cent of the entire install-base.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.