CrushFTP Users Urged to Update Following Newly Discovered Vulnerability
The CrushFTP enterprise file transfer software has been hit by a security vulnerability that is reportedly being exploited in active attacks. In a recent advisory, CrushFTP informed its users that versions of the software prior to 11.1 are susceptible to a flaw allowing users to escape their Virtual File System (VFS) and download system files. The company has issued an urgent call for users to upgrade to version 11.1.0, which addresses this critical issue.
According to CrushFTP, the identified vulnerability primarily affects users running versions of the software that are below 11.1. Simon Garrelou from Airbus CERT is credited with surfacing the exploit, which as of now, has not been assigned a CVE identifier. However, CrowdStrike, a cybersecurity firm, reported the existence of this vulnerability and noted that it has already been observed being exploited against U.S. entities in a "targeted fashion."
Despite the seriousness of the situation, companies operating CrushFTP in a designated demilitarized zone (DMZ) environment are believed to be shielded from these attacks, thus reducing the risk for those users. Nonetheless, CrowdStrike has recommended that all CrushFTP users stay updated via the vendor’s website for the latest security instructions and prioritize patching their instances.
The vulnerability has now been officially designated as CVE-2024-4040 and received a high CVSS score of 9.8, characterizing it as a server-side template injection flaw. This vulnerability allows unauthenticated remote attackers to read files outside of the VFS sandbox, bypass authentication to gain administrative access, and potentially execute code on the server. Such capabilities indicate significant risks for affected systems, with implications for data confidentiality and overall security integrity.
Airbus CERT has taken action by developing a set of Python scripts designed to scan systems for indicators of compromise (IoCs) associated with this vulnerability. The scripts are available on GitHub and reflect ongoing efforts to assist organizations in mitigating the risks presented by CVE-2024-4040. According to analyses from Rapid7, the exploit is notably straightforward, enabling attackers to access and potentially exfiltrate sensitive files stored within the CrushFTP platform.
The United States Cybersecurity and Infrastructure Security Agency (CISA) is also taking measures to address this vulnerability by adding it to its Known Exploited Vulnerabilities catalog. This inclusion compels federal agencies to implement the necessary vendor fixes by May 1, 2024, as a precautionary measure to secure their networks.
Organizations that use CrushFTP should remain vigilant and proactive in their cybersecurity posture. They must not only implement updates immediately but also consider potential MITRE ATT&CK tactics that may have been employed during these attacks, such as initial access and privilege escalation, which could exploit unpatched vulnerabilities in software configurations. Security teams should work closely with their software vendors to ensure compliance and readiness against further exploitation attempts.
In light of these developments, business owners and cybersecurity officers are advised to reassess their risk management strategies to account for emerging threats and ensure that their systems and data remain secure against evolving cyber threats.
