Citrix ShareFile StorageZones Controller Multiple Security Updates

Two security issues have been identified within Citrix ShareFile StorageZones Controller that, if exploited, could allow a compromised or malicious ShareFile user to write arbitrary files as that Active Directory user to the local file system, and also to discover the full local file system paths of shared files to which the ShareFile user has access.

These issues affect all currently supported versions of Citrix ShareFile StorageZones Controller before version 5.4.2.

The following issues have been addressed:

• CVE-2018-16968 (Medium): Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal

• CVE-2018-16969 (Low): Citrix ShareFile StorageZones Controller before 5.4.2 has Information Exposure Through an Error Message

These issues require a compromised or malicious ShareFile user in order to exploit them.  To write files, the Active Directory user account must also have local file system permissions to write files to the chosen location.  To read the full path of a shared file, the ShareFile user account must also have existing permission to the shared file.

A new version of the Citrix ShareFile StorageZones Controller has been released. Citrix recommends that affected customers review the risks that these issues pose to their specific deployment and upgrade in a timely manner.

Citrix also recommends that the StorageZones Controller be configured such that Active Directory user accounts only have permissions to read and write files within the storage path root.

The StorageZones controller can be downloaded at the following location: https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html

Citrix thanks Wolfgang Ettlinger of SEC Consult Vulnerability Lab (http://www.sec-consult.com/) for working with us to protect Citrix customers.