CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040)
A vulnerability (CVE-2024-4040) in enterprise file transfer solution CrushFTP is being exploited by attackers in a targeted fashion, according to Crowdstrike.
The vulnerability allows attackers to escape their virtual file system and download system files (i.e., configuration files), but only if the solution’s WebInterface is exposed on the internet.
According to Censys, there are currently 9,600+ publicly-exposed CrushFTP hosts (virtual & physical), mostly in North America and Europe.
About CVE-2024-4040
CrushFTP sent out notices about CVE-2024-4040 to customers on Friday (April 19).
“The bottom line of this vulnerability is that any unauthenticated or authenticated user via the WebInterface could retrieve system files that are not part of their VFS. This could lead to escalation as they learn more, etc.,” the company said.
Discovered by Simon Garrelou, a security engineer at Airbus CERT, the vulnerability affects CrushFTP v11 and v10, and has been patched in v11.1.0 and v10.7.1. Customers still running CrushFTP v9 should upgrade to version v11.1.0.
Customers using a DMZ in front of their main CrushFTP instance are only partially protected. All are advised to upgrade hosts immediately.
According to the company, there is no definitive way to check whether the exploit has been leveraged against an internet-facing CrushFTP host.
“The nature of this was common words that could be in your log already. So there is no silver bullet search term to check for,” they said.
The targets
These attacks against CrushFTP hosts seem to be reconnaissance efforts. Crowdstrike said that multiple US entities have been probed, and that this intelligence-gathering activity could be politically motivated.
But zero-days in enterprise-grade file transfer solutions have also lately been popular with ransomware-wielding attackers.
UPDATE (April 24, 2024, 04:45 a.m. ET):
Rapid7 has confirmed that the vulnerability is trivially exploitable, and that successful exploitation allows for: arbitrary file read as root, authentication bypass for administrator account access, full remote code execution, and access and potential exfiltration of all files stored on the CrushFTP instance.
Airbus CERT has published a script that triggers the vulnerability and a script that will look for indicators of compromise in a CrushFTP server installation directory.
“During the course of vulnerability analysis, Rapid7 observed several factors that make it difficult to effectively detect exploitation of CVE-2024-4040,” Rapid7’s Caitlin Condon noted.
“Payloads for CVE-2024-4040 can be delivered in many different forms. When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic. CrushFTP instances behind a standard reverse proxy, such as NGINX or Apache, are partially defended against these techniques, but our team has found that evasive tactics are still possible.”