Citrix ShareFile StorageZones Controller Multiple Security Updates


<section class="article-content" data-swapid="ArticleContent"> <div class="content-block" data-swapid="ContentBlock"><div> <div> <h2> Description of Problem</h2> <div> <div> <div> <p>Two security issues have been identified within Citrix ShareFile StorageZones Controller that, if exploited, could allow a compromised or malicious ShareFile user to write arbitrary files as that Active Directory user to the local file system, and also to discover the full local file system paths of shared files to which the ShareFile user has access.</p> <p>These issues affect all currently supported versions of Citrix ShareFile StorageZones Controller before version 5.4.2.</p> <p>The following issues have been addressed:</p> <p>• CVE-2018-16968 (Medium): Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal</p> <p>• CVE-2018-16969 (Low): Citrix ShareFile StorageZones Controller before 5.4.2 has Information Exposure Through an Error Message</p> </div> </div> </div> </div> <div> <h2> Mitigating Factors</h2> <div> <div> <div> <p>These issues require a compromised or malicious ShareFile user in order to exploit them. To write files, the Active Directory user account must also have local file system permissions to write files to the chosen location. To read the full path of a shared file, the ShareFile user account must also have existing permission to the shared file.</p> <p> </p> </div> </div> </div> </div> <div> <h2> What Customers Should Do</h2> <div> <div> <div> <p>A new version of the Citrix ShareFile StorageZones Controller has been released. Citrix recommends that affected customers review the risks that these issues pose to their specific deployment and upgrade in a timely manner.</p> <p>Citrix also recommends that the StorageZones Controller be configured such that Active Directory user accounts only have permissions to read and write files within the storage path root.</p> <p>The StorageZones controller can be downloaded at the following location: <a href="https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html">https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html</a></p> <p> </p> </div> </div> </div> </div> <div> <h2> Acknowledgements</h2> <div> <div> <div> <p>Citrix thanks Wolfgang Ettlinger of SEC Consult Vulnerability Lab (<a href="http://www.sec-consult.com/">http://www.sec-consult.com/</a>) for working with us to protect Citrix customers.</p> </div> </div> </div> </div> <div> <h2> What Citrix Is Doing</h2> <div> <div> <div> <div> <div> <p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href="http://support.citrix.com/">http://support.citrix.com/</a></u>.</p> </div> </div> </div> </div> </div> </div> <div> <h2> Obtaining Support on This Issue</h2> <div> <div> <div> <div> <div> <p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href="https://www.citrix.com/support/open-a-support-case.html">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p> </div> </div> </div> </div> </div> </div> <div> <h2> Reporting Security Vulnerabilities</h2> <div> <div> <div> <div> <div> <p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – <a href="http://support.citrix.com/article/CTX081743">Reporting Security Issues to Citrix</a></p> </div> </div> </div> </div> </div> </div> <div> <h2> Changelog</h2> <div> <div> <div> <table width="100%"> <tbody> <tr> <td colspan="1" rowspan="1">Date </td> <td colspan="1" rowspan="1">Change</td> </tr> <tr> <td colspan="1" rowspan="1">19th September 2018</td> <td colspan="1" rowspan="1">Initial publishing</td> </tr> </tbody> </table> </div> </div> </div> </div> </div></div> </section>