WARNING: CrushFTP Zero-Day Allows RCE, Patch CVE-2024-4040 Immediately!
CVE-2024-4040: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
Risks
A zero-day vulnerability in CrushFTP poses an imminent threat, as it could grant unauthorized remote access to the CrushFTP server, potentially resulting in severe consequences. An attacker could exploit this flaw to gain complete control over the server, including the ability to access any file, acquire administrative privileges, and execute harmful code. Such exploitation could lead to a range of detrimental outcomes, such as data breaches, additional malware infections, and various other malicious activities.
There is evidence of the vulnerability's exploitability through proof-of-concept exploits. Moreover, it has been actively exploited, prompting its inclusion in the CISA Known Exploited Vulnerability list.
The confidentiality, integrity, and availability of the system are severely at risk due to this vulnerability.
Description
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
The vulnerability has been fixed in versions 10.7.1 and later and 11.1.0 and later. Patch instructions are provided by the vendor and available via source links above.
Earlier messages said using a DMZ in front of the main CrushFTP instance offered protection. However, this does not fully protect and users must update immediately.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=DMZ
https://www.cisa.gov/known-exploited-vulnerabilities-catalog