Lucene search

K
citrixCitrixCTX269106
HistoryMay 05, 2020 - 4:00 a.m.

Citrix ShareFile storage zones Controller multiple security updates

2020-05-0504:00:00
support.citrix.com
83

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.796 High

EPSS

Percentile

98.3%

Description of Problem

Security issues have been identified in customer-managed Citrix ShareFile storage zone controllers. These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users’ documents and folders.

These issues have been given the following identifiers:

  • CVE-2020-7473
  • CVE-2020-8982
  • CVE-2020-8983

Customer-managed storage zones created using the following versions of the storage zones controller are affected:

  • ShareFile storage zones Controller 5.9.0
  • ShareFile storage zones Controller 5.8.0
  • ShareFile storage zones Controller 5.7.0
  • ShareFile StorageZones Controller 5.6.0
  • ShareFile StorageZones Controller 5.5.0
  • All earlier versions of ShareFile StorageZones Controller

Storage zones created using the recently released versions of storage zones controllers listed below are not affected:

  • Storage Zones Controller 5.10.0 and later 5.10 releases
  • Storage Zones Controller 5.9.2 and later 5.9 releases
  • Storage Zones Controller 5.8.2 and later 5.8 releases
  • Storage Zones Controller 5.7.2 and later 5.7 releases
  • ShareFile StorageZones Controller 5.6.2 and later 5.6 releases
  • ShareFile StorageZones Controller 5.5.2 and later 5.5 releases

Storage zones created using a vulnerable version of the storage zones controller are at risk even if the storage zones controller has been subsequently updated.

What Customers Should Do

Customers with Citrix-managed storage zones do not need to take any action. Customers with customer-managed storage zones should ensure they are running on a supported version. In order to address the issue customers are strongly recommended to run the mitigation tool as soon as possible on the storage zone controllers managing each impacted storage zone by following the guidance in the following support article:

<https://support.citrix.com/article/CTX269341&gt;__

Acknowledgements

Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and CVE-2020-8983 to protect Citrix customers. Citirix would also like to thank Daniel Jensen (@dozernz) for working with us to protect Citrix customers.

What Citrix Is Doing

Citrix is notifying customers and channel partners with customer-managed storage zone controllers about this potential security issue. This article is also available from the Citrix Knowledge Center at <http://support.citrix.com/&gt;.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at <https://www.citrix.com/about/trust-center/vulnerability-process.html&gt;.

Changelog

Date Change
2020-05-05 Initial publication
2020-06-24 Fixed versions updated

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.796 High

EPSS

Percentile

98.3%