Thursday, May 02, 2019

CVE 2019-7218: CITRIX SHAREFILE TWO FACTOR AUTHENTICATION DOWNGRADE TO ONE FACTOR

Today’s post reveals a critical vulnerability affecting Citrix ShareFile versions up to and including 19.1The application implements two-phase authentication where the OTP (One-Time Password) validation occurs independently of username/password verification


Citrix ShareFile Application v.19.1


Under specific conditions, an attacker who gains access to a victim’s OTP generator (physical token or virtual app like Google Authenticator) can bypass the first phase of authentication—the username and password—and gain access by submitting only a username and valid OTP.

This behavior effectively downgrades 2FA to 1FA, allowing unauthorized access without knowing the user’s password, provided the OTP device is compromised.

Deeply analyzing this vulnerability, the flaw exists in the server’s authentication flow logic, which fails to properly enforce the required sequence of authentication phases. Specifically, the server does not verify that the user has successfully completed phase 1 (username/password) before accepting and validating phase 2 (OTP).

As a result, if an attacker gains access to a user’s offline OTP token—whether physical or virtual—they can initiate a login session by submitting only the username and a valid OTP. The server mistakenly considers the OTP sufficient for authentication, thereby bypassing password validation entirely.

It is important to note that this vulnerability is only exploitable when:

  • The OTP is generated offline, using a pre-configured shared secret (TOTP/HOTP).

  • The server does not tie OTP validation to a prior successful username/password authentication.

  • OTPs are not generated on demand and sent dynamically (e.g., via SMS or voice).

Exploitation Steps

Here is how the vulnerability can be exploited:

  1. Attacker obtains access to the victim’s OTP source (Google Authenticator, physical token, etc.).

  2. Intercept or recreate a login request, even with invalid or garbage values for the username and password fields.

  3. Modify the request to insert the valid victim’s username and current OTP in place of the original credentials.

  4. Send the modified request to the server.

  5. Server validates OTP without verifying if username/password was correct—granting access.

This attack relies on the incorrect server-side assumption that OTP alone is a sufficient condition for authentication success.

Below are provided detailed requests used in order to exploit this vulnerability. In first instance, an attacker is able to intercept the log-in request with garbage data and use this request as base for the attack, changing the OTP and Password parameters


Phase 1 default log-in request and response


Request modifications:

op=webflow-verify and code=[OTP]

In case that the username/otp combination is correct (phase 2 succeeded), phase 1 authentication is bypassed and unauthorized access to the application is gained by the attacker as it is shown below:


Evil phase 2 request with modified parameters

 

The following image serves as evidence of unauthorized access to the web application by exploiting this vulnerability:

 

Unauthorized access to the application

 

Recommended Mitigations:

  • Review and correct authentication logic to ensure OTP validation is only triggered after successful password verification.

  • Enforce strict sequencing of authentication phases in all login flows.

  • Log and alert on any login attempts where OTP is accepted without prior successful password authentication.

  • Consider implementing risk-based authentication to detect and block anomalous login flows.

  • Educate users on safeguarding their OTP tokens and treating them as sensitive credentials.

This issue emphasizes the importance of strong backend enforcement of authentication phases, especially in systems relying on token-based 2FA. Organizations should review their implementations immediately to ensure that OTP validation cannot occur independently of password verification. Our team is available to assist with auditing or remediation support as needed.

Conclusion

This vulnerability represents a significant break in the two-factor authentication model, where possession of an OTP device becomes the only required factor, completely bypassing password-based identity verification.

Reporting Information:

CVE Identifier: CVE-2019-7218
CVSS Score: 5.9
Affected Versions: Citrix ShareFile through 
19.1
Tested on: Citrix ShareFile version 19.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-7218
Product URL: https://www.sharefile.com/
Reported by: Armando Huesca Prida, Andrea Pessione


CVE 2019-7217: CITRIX SHAREFILE USER ENUMERATION

Today’s post highlights an unauthenticated username enumeration vulnerability discovered in Citrix ShareFile, affecting versions up to and including 19.1

Citrix ShareFile Application v.19.1

This issue allows an attacker to determine whether specific usernames exist in the system by analyzing differences in server responses to OTP (One-Time Password) verification requests—without needing to log in. 

For example, the server returns different error messages depending on the username’s registration status:

  • Registered Username:
            {"error": true, "errorMessage": "Unable to verify two factor code.", "errorCode": 122}
  • Unregistered Username:
            {"error": true, "errorMessage": "You are not authorized to use this client", "errorCode": 126}

 

Request RAW:

POST /oauth/oauthapi.aspx HTTP/1.1

Host: xxx.sharefile.eu

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://xxx.sharefile.eu/Authentication/Login

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Content-Length: 293

Connection: close

tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&response_type=code&client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&state=FxwxORudhXUqUh3phnC6Mg%3D%3D&redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&h=&requireV3=false&code=123


These behavioral discrepancies allow an unauthenticated attacker to distinguish valid from invalid usernames by analyzing the response to each OTP verification attempt.

This lack of uniformity creates an information disclosure vulnerability that violates secure authentication practices and enables silent reconnaissance.


Exploitation Steps

The enumeration process is straightforward and does not require credentials:

  1. Prepare an OTP verification request, substituting in a username or email address from a target list.

  2. Send the request to the ShareFile server.

  3. Observe the response:

    • The server responds differently based on whether the specified username exists or not.

  4. Repeat the process with a list of possible usernames to compile a set of valid accounts.

This technique can be automated to quickly identify active accounts in the environment, setting the stage for follow-up attacks like password spraying or phishing.


Recommended Mitigations:

  • Standardize OTP verification responses for both valid and invalid usernames.

  • Implement rate limiting and alerting for failed OTP validation attempts.

  • Restrict unauthenticated access to OTP-related endpoints when possible.

  • Monitor logs for suspicious patterns of OTP submissions from untrusted sources.

  • Educate users about phishing risks and enforce multi-factor authentication (MFA).


Conclusion:

This vulnerability in Citrix ShareFile (≤ 19.1) underscores the importance of consistent server-side handling of authentication-related operations. The ability to enumerate valid usernames without authentication creates unnecessary exposure and elevates the risk of follow-on attacks.


Reporting Information:

CVE Identifier: CVE-2019-7217
CVSS Score: 7.5
Affected Versions: Citrix ShareFile through 
19.1
Tested on: Citrix ShareFile version 19.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-7217
Product URL: https://www.sharefile.com/
Reported by: Armando Huesca Prida, Andrea Pessione