Danske Bank Red Team discovers yet more Citrix 0-day vulnerabilities. In Danske, we are continuously hunting for vulnerabilities in our own growing portfolio of online applications, as well as in the vendor stack that powers our services. For the Red Team, everything is in scope. Last spring, we presented CVE-2018-18571, which provided authentication bypass to Citrix XenMobile (Get access to an organizations network and all enrolled phones). This spring, we present CVE-2020-8982 & CVE-2020-8983, which provides unauthenticated arbitrary file read and unauthenticated arbitrary file write (remote code execution) on Citrix ShareFile Storage Zone Controllers. The impact is quite critical, as both RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). Danske Bank Red Team roster: Saulius Pranckevičius, Petras Skėrus, Mads Bograd, Alexander Staalgaard and Jonas Hansen. #danskebank #hacking #zeroday #cybersecurity #infosecurity #cloudsecurity
Godt at høre som kunde 👏
Respekt!
Would you mind doing a talk at OWASP Copenhagen about it? :-) Alessandro Bruni
Respect, and great to see you remain being a strong and relevant team. Please keep pushing an important agenda, which I am sure goes way beyond you own business.
Respect!
Impressive!
Great work
Cyber Security and Security Intelligence (OSINT) Expert & vCISO, Executive Advisor, Mentor
3yReport
Report
Jonas and his team continue to be Rockstars. Awesome work.