CrushFTP Zero-Day Flaw

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild.

"CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday. "This has been patched in v11.1.0."

That said, customers who are operating their CrushFTP instances within a DMZ (demilitarized zone) restricted environment are protected against the attacks.

Cybersecurity

Simon Garrelou of Airbus CERT has been credited with discovering and reporting the flaw. It has yet to be assigned a CVE identifier.

Cybersecurity company CrowdStrike, in a post shared on Reddit, said it has observed an exploit for the flaw being used in the wild in a "targeted fashion."

CrushFTP Zero-Day Flaw

These intrusions are said to have mainly targeted U.S. entities, with the intelligence gathering activity suspected to be politically motivated.

"CrushFTP users should continue to follow the vendor's website for the most up-to-date instructions and prioritize patching," CrowdStrike said.

Update

When reached for comment, CrushFTP's founder and president Ben Spink told The Hacker News that it's aware of a report from CrowdStrike about active exploitation of the flaw, but noted that the company hasn't heard anything from its customers so far.

Spink also emphasized that no additional technical details about the issue has been made public either by CrushFTP or Airbus. The Hacker News has reached out to CrowdStrike for more details on the exploitation, and we will update the story if we hear back.

"We patched the vulnerability within a couple hours of being made aware of it, and then worked through eating and confirming the fix before issuing emails to everyone on the notification list of emergency updates," Spink said.

"10.7.1 patches all v10 versions and 11.1 patches all v11 versions. No one should still be running v9. Customers who have paid for extended support can contact us for a patched v9 version."

Airbus CERT Releases Exploit Scanner for the Flaw

The critical CrushFTP security flaw has been assigned the CVE identifier CVE-2024-4040 (CVSS score: 9.8), with the NIST National Vulnerability Database (NVD) describing it as a "server side template injection vulnerability."

It enables "unauthenticated remote attackers to read files from the filesystem outside of the [virtual file system] sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server," according to the description.

Cybersecurity

Airbus CERT has since published a set of Python scripts on GitHub that can be used to scan a target for CrushFTP file read vulnerability as well as look for indicators of compromise (IoCs) in a CrushFTP server installation directory.

According to CrowdStrike, the flaw has been exploited as a zero-day to target multiple U.S. entities. No further details about attribution or the nature of these targeted attacks are available as of writing.

Rapid7, in an in-depth analysis published on Monday, said CVE-2024-4040 is trivial to exploit, enabling a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.

"Payloads for CVE-2024-4040 can be delivered in many different forms," Caitlin Condon, director of vulnerability intelligence at Rapid7, said. "When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic."

"CrushFTP instances behind a standard reverse proxy, such as NGINX or Apache, are partially defended against these techniques, but our team has found that evasive tactics are still possible."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the vendor provided fixes by May 1, 2024.

(The story was updated after publication to include technical specifics of the flaw shared by Rapid7.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.