Progress Software has recently confirmed that a zero-day vulnerability was the root cause of the interruption experienced by users of the ShareFile Storage Zones Controller. The company has announced that services are gradually being restored.
Two days prior to this announcement, Progress had disabled access to ShareFile accounts for all users utilizing Storage Zones Controllers, citing a credible external security threat. This action was taken as a precautionary measure to protect customer data.
Restoration of Services
Progress reported to SecurityWeek that as of July 14, access has been reinstated for customers using the ShareFile Storage Zones Controller. This follows a service disruption that had been previously communicated by the company.
The decision to temporarily shut down affected servers was due to the discovery of a high-severity vulnerability impacting versions 5.x and 6.x of the Storage Zones Controller. Progress took swift action by developing and distributing patched versions to its customers.
Details of the Vulnerability
While specific details of the vulnerability have not been disclosed, Progress assures that there is no evidence of unauthorized access to customer accounts or data. The issue, identified as a path traversal bug, can be exploited by attackers with administrative privileges.
In communications with clients, Progress described the vulnerability as allowing authenticated users to read and modify files accessible to the application’s service account, posing potential risks if exploited.
Expert Opinions and Recommendations
Benjamin Harris, CEO of WatchTowr, expressed concerns over the extent of the vulnerability, suggesting that there might be more undisclosed aspects given the company’s aggressive response.
Security experts recommend that all users update their ShareFile Storage Zones Controllers immediately and remain vigilant. Harris emphasized that applying a patch might not be the final solution and that users should continue to monitor their systems for any unusual activity.
As the situation develops, Progress Software remains committed to ensuring the security of its services and customer data, urging users to implement the necessary updates promptly.
