Citrix corrected three errors that were found in many publications ShareFile storage zone controllers, which could be exploited hackers to access the company's customer files. ShareFile is a service designed for businesses, which need a content collaboration, file sharing and synchronization system. The data are available from internal or cloud storage zones and are transferred to the user securely via a storage zone controller.
Thousands servers were exposed due to errors found in the company. In particular, the three security errors, identified as CVE-2020-7473, CVE-2020-8982 and CVE-2020-8983, affect the basic versions of storage zone controllers (5.9.0, 5.8.0, 5.7.0, 5.6.0 .5.5.0 and 5.9.1) of ShareFile, while their intermediate versions (5.8.1 / 5.7.1 / 5.6.1 / 5.5.1 / XNUMX) are not affected. However, the company said in a statement that the storage zones created using a vulnerable version of a storage zone controller are at risk even if it has been updated.
Nate Warfield, senior security program manager at her Security Center Microsoft (MSRC), searched for Citrix ShareFile storage servers on Shodan and found about 2.800. There are no clear details on these security errors, but Warfield noted that they are quite important, so priority should be given to servers. In addition, the lack of technical information means that there is still enough time before it can take place code exploitation or some other form of attack.
Customers who have storage zones managed by Citrix do not need to take any specific action. Respectively, customers who manage the zones themselves should ensure that they are running a supported version and then use one tool Citrix for error mitigation. It is a simple tool that checks if a ShareFile server is vulnerable to the error identified as CVE-2020-7473 and is available at GitHub by Dimitri van de Giessen, a moral hacker - system engineer. De Giessen works for a company that is a Citrix on-premise user and received prior security update information. So he was able to track what the update did for the bug identified as CVE-2020-7473. Citrix thanked the Danske Bank Red-Team for their cooperation in a security newsletter, which resulted in the protection of its customers from the other two security errors.