Full Report
Detect and mitigate CVE-2024-4040, a critical vulnerability in CrushFTP exploited in the wild. Organizations should patch urgently.
Analysis Summary
# Vulnerability: CrushFTP Unauthenticated Remote Code Execution via VFS Sandbox Escape
## CVE Details
- CVE ID: CVE-2024-4040
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly mentioned, but related to authorization/sandbox bypass (potentially CWE-264 or CWE-22).
## Affected Systems
- Products: CrushFTP
- Versions: Versions prior to `10.7.1`, versions prior to `11.1.0`, and older `9.x` versions.
- Configurations: Only exploitable when accessing the application via the web interface port (HTTP/HTTPS). Setups only exposing the SFTP port are considered safe.
## Vulnerability Description
CVE-2024-4040 is a critical vulnerability in CrushFTP's Virtual File System (VFS) sandbox mechanism. Initially described as an arbitrary file read allowing low-privileged remote users to access files outside their designated directory limits, further research revealed it can lead to unauthenticated Remote Code Execution (RCE). The flaw is suspected to be leverageable as a Server-Side Template Injection (SSTI). Successful exploitation allows attackers to read root-level files, bypass administrator authentication, and execute arbitrary code on the server.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Unauthenticated access required, minimal technical effort)
- Attack Vector: Network (via the web interface port)
## Impact
- Confidentiality: High (Access to sensitive files, potential administrator credentials)
- Integrity: High (Code execution allows system modification)
- Availability: High (Potential for system shutdown or full compromise)
## Remediation
### Patches
- Upgrade to CrushFTP version `10.7.1` or newer.
- Upgrade to CrushFTP version `11.1.0` or newer.
### Workarounds
- No permanent workarounds are officially listed beyond upgrading, as initial guidance (e.g., using a DMZ) was retracted.
- **Note:** Ensuring only the SFTP port is exposed to the internet mitigates *this specific* vector, as exploitation requires the web interface port.
## Detection
- Indicators of Compromise: File access anomalies or unexpected process execution originating from the CrushFTP service.
- Detection Methods and Tools: Wiz Threat Center provides a pre-built query for detection in their environments. Monitor network traffic targeting the CrushFTP web interface port for suspicious patterns related to unauthorized file access or command execution.
## References
- CrushFTP advisory: hxxps://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
- Rapid7 blog: hxxps://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
- Proof of Concept (Sandbox Escape): hxxps://github.com/airbus-cert/CVE-2024-4040