Priya PatelTLDR:
- A zero-day vulnerability (CVE-2024-4040) in CrushFTP below versions 10.7.1 and 11.1.0 allows attackers to gain complete server access.
- A patch is available (10.7.1 or later for version 10, 11.1.0 or later for version 11) to mitigate the vulnerability.
In a recent disclosure, CrushFTP revealed a zero-day vulnerability (CVE-2024-4040) that affects versions below 10.7.1 and 11.1.0. This vulnerability allows remote attackers with low privileges to bypass the VFS sandbox and read arbitrary files on the underlying filesystem, potentially leading to server-side template injection (SSTI) attacks. The exploit could grant attackers complete control over the compromised CrushFTP server, enabling them to bypass authentication, read files with root privileges, and execute code on the server.
The vulnerability poses a significant threat, as it requires no authentication and has a publicly available exploit code. Attackers can exploit this vulnerability to steal data, install malware, or fully compromise a CrushFTP server. This vulnerability has been confirmed to allow unauthenticated attackers to read files outside the Virtual File System (VFS) sandbox.
There are approximately 5,200 vulnerable CrushFTP servers exposed to the public internet, making them susceptible to exploitation. Upgrading to CrushFTP versions 10.7.1 or 11.1.0 is crucial to mitigate the vulnerability. However, it is essential to act promptly due to the severity of the issue and uncertainties surrounding the effectiveness of a DMZ.
It is challenging to detect exploits for CVE-2024-4040, as attackers can use various payloads and evasion techniques to conceal malicious activities. Even with a reverse proxy in place, attackers may elude detection. A recent detection update has been released to address this vulnerability, offering insight into how the vendor fixed the issue, detection rules for security tools, and tools to identify vulnerable CrushFTP installations.
