Saturday, February 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets

May 6, 2020
in Internet Privacy
Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Since the past few weeks, software giant Citrix has privately been rolling out a critical software update to its enterprise customers that patches multiple security vulnerabilities affecting Citrix ShareFile content collaboration platform.

The security advisory—about which The Hacker News learned from Dimitri van de Giessen, an ethical hacker and system engineer—is scheduled to be available publicly later today on the Citrix website.

You might also like

Cisco Releases Security Patches for Critical Flaws Affecting its Products

Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

Citrix ShareFile is an enterprise-level file sharing solution for businesses using which employees can securely exchange proprietary and sensitive business data with each other.

The software offers an on-premises secure cloud environment for data storage with auditing capabilities and regulatory compliance controls. For example, a company can remotely lock or wipe data from potentially compromised mobile devices, or they’re when lost or stolen.

The newly identified security issues (CTX-CVE-2020-7473) specifically affect customer-managed on-premises Citrix ShareFile storage zone controllers, a component that stores corporate data behind the firewall.

The list of vulnerabilities are:

  • CVE-2020-7473
  • CVE-2020-8982
  • CVE-2020-8983

According to the advisory, if exploited, the vulnerabilities could allow an unauthenticated attacker to compromise the storage zones controller potentially and access sensitive ShareFile documents and folders.

List of Affected and Patched Citrix ShareFile Versions

If your company uses on-premises ShareFile storage zones controller versions 5.9.0 / 5.8.0 /5.7.0/ 5.6.0 / 5.5.0 and earlier, you are affected and recommended to immediately upgrade your platform to Storage zones controller 5.10.0 / 5.9.1 / 5.8.1 or later.

It is important to note that if your storage zone was created on any of the affected versions, merely upgrading your software to a patched version would not completely resolve the vulnerability.

To fix this, the company has separately released a mitigation tool that you need to be run on your primary Storage zones controller first and then on any secondary controllers.

“Once the tool runs successfully on your primary zone, you MUST NOT revert any changes to it. Reverting changes will cause your zone to become unavailable,” the advisory warned.

You can find a complete step by step details in the advisory, as soon as it becomes available publicly.

Besides the on-premises solution, the cloud versions of ShareFile storage zone controllers were also affected, but the company has already patched them and doesn’t require any further action from users.

Where the Flaw Resides?

At the time of writing, though not much technical details on the underlying vulnerabilities are available, an initial patch inspection by Dimitri reveals that at least one of the flaws could have resided in an old ASP.net Toolkit that Citrix Sharefile used.

The 9-year-old outdated version of AjaxControlToolkit that’s allegedly bundled with the affected versions of ShareFile software contains directory traversal and remote code execution vulnerabilities (CVE-2015-4670), which were disclosed publicly in 2015.

citrix sharefile vulnerability

To check if Citrix ShareFile implementation is affected or not, one can visit the following URL in the browser, and if the page returns blank, it’s vulnerable, and if it through 404 error, it’s either not flawed or has already been patched.

https://yoursharefileserver.companyname.com/UploadTest.aspx

According to Dimitri, the mitigation tool makes some changes to the web.config file and then also deletes UploadTest.aspx and XmlFeed.aspx from the affected servers.


Credit: The Hacker News By: noreply@blogger.com (Swati Khandelwal)

Previous Post

A Gmail for databases: CockroachDB aims for the top, stocks up with $86.6M new funding

Next Post

Microsoft to hackers: Break our Azure Sphere Linux IoT OS and earn up to $100k

Related Posts

Cisco Releases Security Patches for Critical Flaws Affecting its Products
Internet Privacy

Cisco Releases Security Patches for Critical Flaws Affecting its Products

February 27, 2021
Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
Internet Privacy

Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

February 26, 2021
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware
Internet Privacy

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

February 26, 2021
Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack
Internet Privacy

Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack

February 26, 2021
Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations
Internet Privacy

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

February 25, 2021
Next Post
Microsoft to hackers: Break our Azure Sphere Linux IoT OS and earn up to $100k

Microsoft to hackers: Break our Azure Sphere Linux IoT OS and earn up to $100k

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
The Ethereum Virtual Machine (EVM)
Data Science

The Ethereum Virtual Machine (EVM)

February 27, 2021
Healthcare leaders debunk 3 myths about machine learning
Machine Learning

Providence exec explains the differences, their healthcare applications

February 27, 2021
Future Tech: Artificial Intelligence and the Singularity | by Jason Sherman | Feb, 2021
Neural Networks

Future Tech: Artificial Intelligence and the Singularity | by Jason Sherman | Feb, 2021

February 27, 2021
Chrome will soon try HTTPS first when you type an incomplete URL
Internet Security

Chrome will soon try HTTPS first when you type an incomplete URL

February 27, 2021
Cisco Releases Security Patches for Critical Flaws Affecting its Products
Internet Privacy

Cisco Releases Security Patches for Critical Flaws Affecting its Products

February 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid February 27, 2021
  • The Ethereum Virtual Machine (EVM) February 27, 2021
  • Providence exec explains the differences, their healthcare applications February 27, 2021
  • Future Tech: Artificial Intelligence and the Singularity | by Jason Sherman | Feb, 2021 February 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates