
=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN418
_____________________________________________________________________

DATE                : 20/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Sstems running Citrix ShareFile storage zones
                                     controller.

=====================================================================
https://support.citrix.com/article/CTX322787
_____________________________________________________________________

CTX322787
Citrix ShareFile storage zones controller security update
Created: 10 Aug 2021 | Modified: 10 Aug 2021


Applicable Products

    ShareFile


Description of Problem

An issue has been identified in the CTX269106 mitigation tool for Citrix
ShareFile storage zones controller which causes the ShareFile file
encryption option to become disabled if it had previously been enabled.

Customers are only affected by this issue if they previously selected
“Enable Encryption” in the ShareFile storage zones controller
configuration page and did not re-select this setting after running the
CTX269106 mitigation tool. ShareFile customers who have not run the
CTX269106 mitigation tool or who re-selected “Enable Encryption”
immediately after running the tool are unaffected by this issue.

Customers using Citrix ShareFile storage zones controller 5.10.1 and
above or 5.11.18 and above can check if they are affected by this issue
by viewing the EncryptionServiceSettings file in the StorageLocation. If
IsEncryptionNeeded is set to True then the storage zones controller is
affected by this issue. Affected customers using 5.11.19 or above who
log-in to the ShareFile storage zones controller configuration page will
also be presented with a pop-up which informs them that they are
affected by this issue.


CVE-ID               Description           Type          Pre-requisites

CVE-2021-22932    File encryption is disabled after running CTX269106
mitigation tool        CWE-312: Cleartext Storage of Sensitive
Information    Access to an affected customer-managed ShareFile storage
zone


What Customers Should Do

Customers who have previously run the CTX269106 mitigation tool are
recommended to check if they are affected by this issue by following the
steps above. Customers who are unsure if they have previously run the
tool are also recommended to follow the steps above to check if they are
affected by this issue.

Citrix strongly recommends that affected customers address this issue as
soon as possible by first upgrading to ShareFile storage zones
controller 5.11.19 or later and then running the background encryption
task to ensure that any files which were not encrypted due to this issue
become encrypted. More information on this process is available at
https://citrix.sharefile.com/d-s09aed5d7e9ad4e89b97be38162edd201.

The latest versions of Citrix ShareFile storage zones controller are
available from the following Citrix website location:

https://www.citrix.com/downloads/sharefile/


What Citrix is Doing
Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge
Center at https://support.citrix.com/.


Obtaining Support on This Issue
If you require technical assistance with this issue, please contact
Citrix Technical Support. Contact details for Citrix Technical Support
are available at https://www.citrix.com/support/open-a-support-case/.


Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and
considers any and all potential vulnerabilities seriously. For details
on our vulnerability response process and guidance on how to report
security-related issues to Citrix, please see the following webpage:
https://www.citrix.com/about/trust-center/vulnerability-process.html.


Disclaimer
This document is provided on an "as is" basis and does not imply any
kind of guarantee or warranty, including the warranties of
merchantability or fitness for a particular use. Your use of the
information on the document is at your own risk. Citrix reserves the
right to change or update this document at any time.


Changelog

Date           Change

2021-08-10     Initial Publication


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================