Warning: CrushFTP <11.1.0 Has a Vulnerability That Lets an Attacker Escape the Virtual File System and Download System Files
No CVE has been issued yet at the time of writing.
Sources
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
Risks
CrushFPT <11.1.0 has a virtual file system (VPS) escape vulnerability. Successful exploitation could lead to the download of system files by users. CrowdStrike has seen this vulnerability exploited in the wild: https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
Description
On 2024-02-19, CrushFTP released version 11.1.0 fixing a VPS escape vulnerability. Customers that are using a DMZ in front of their instance are unaffected due to its protocol translation system. CrashFTP guidelines on DMZ setup can be found at: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=DMZ
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The vulnerability has been fixed in version 11.1.0 and later. Patch instructions are provided by the vendor and available at: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.