CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0, allowing remote attackers with low privileges to bypass the VFS sandbox and read arbitrary files on the underlying filesystem.
It could be exploited for server-side template injection (SSTI) attacks, granting attackers complete control over the compromised CrushFTP server, enabling them to bypass authentication, read arbitrary files with root privileges, and execute code on the server.
This vulnerability poses a severe threat as it needs no authentication and has publicly available exploit code. Exploiting it, attackers can steal data, install malware, or fully compromise the CrushFTP server. CVE-2024-4040 enables unauthenticated attackers to access arbitrary files beyond the Virtual File System (VFS) sandbox.
CrushFTP Zero-Day
Before a patch became available, this vulnerability was already being exploited in the wild, leaving approximately 5,200 CrushFTP servers vulnerable due to their exposure on the public Internet.
Moreover, this vulnerability facilitates unauthenticated attackers in reading files beyond the designated file system sandbox, potentially leading to privilege escalation and remote code execution.
To mitigate the vulnerability effectively, it is necessary to upgrade to CrushFTP 11.1.0 or 10.7.1 (depending on the version series), both of which have been validated to address CVE-2024-4040.
A crucial vulnerability in CrushFTP (CVE-2024-4040) permits attackers with limited privileges to bypass the VFS sandbox, potentially leading to complete system compromise. CrushFTP strongly advises an immediate update to patched versions (10.7.1 or later for version 10, 11.1.0 or later for version 11) to address this issue.
Rapid7 recommends applying the patch immediately instead of relying solely on a DMZ, considering the severity of the issue and uncertainties regarding its effectiveness. Exploiting CVE-2024-4040 is challenging due to diverse payloads and evasion techniques that conceal malicious content in logs, making it difficult to distinguish from legitimate traffic.
Even with a reverse proxy in place, attackers may still evade detection.
Moreover, on April 23rd, 2024, a detection update was released to combat CVE-2024-4040, a server-side template injection vulnerability in CrushFTP.
This update encompasses details on the vendor’s successful remediation, detection protocols for InsightIDR and Rapid7 MDR, and tools for identifying vulnerable CrushFTP installations within InsightVM and Nexpose environments.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment