Full Report
CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately. [...]
Analysis Summary
# Vulnerability: CrushFTP Unauthenticated VFS Escape (CVE-2024-4040)
## CVE Details
- CVE ID: CVE-2024-4040
- CVSS Score: Not explicitly provided, but noted as a critical flaw leading to system file downloads.
- CWE: Not explicitly provided.
## Affected Systems
- Products: CrushFTP
- Versions: All unpatched versions prior to the fix release.
- Configurations: Any deployed CrushFTP server.
## Vulnerability Description
CVE-2024-4040 is an unauthenticated access flaw in CrushFTP that allows an attacker to escape the intended User Virtual File System (VFS) boundaries. Successful exploitation enables an unauthenticated attacker to download sensitive system files from the underlying server operating system. This vulnerability has been observed in targeted intelligence-gathering campaigns.
*Note: The article also mentions a separate critical RCE vulnerability, CVE-2023-43177, which was previously addressed and had a public PoC.*
## Exploitation
- Status: Evidence points to exploitation in the wild (intelligence-gathering campaign targeting U.S. organizations). CISA has added it to their KEV catalog.
- Complexity: Implied to be low given the successful exploitation observed by security researchers.
- Attack Vector: Network (Remote exploitation).
## Impact
- Confidentiality: High (Ability to download system files).
- Integrity: Undetermined/Medium (Potential for system configuration disclosure).
- Availability: Low (Primary impact is data exfiltration).
## Remediation
### Patches
- Specific patch versions are not listed in the provided text, but users are urged to apply the immediate patch released by CrushFTP addressing CVE-2024-4040.
- Users are directed to secure vulnerable servers immediately per CISA guidance.
### Workarounds
- The article stresses immediate patching rather than workarounds due to the severity and active exploitation demonstrated by threat actors.
## Detection
- CrowdStrike observed evidence of initial access activity related to this exploit.
- Customers should monitor logs for unusual file access requests originating from authentication-unlikely sources or excessive reads of system configuration files via the VFS interface.
- CISA mandates that U.S. federal agencies secure these servers within a week of KEV catalog inclusion.
## References
- Vendor Advisories: CrushFTP advisories regarding CVE-2024-4040.
- Relevant links:
- hxxps://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
- hxxps://nvd.nist.gov/vuln/detail/CVE-2024-4040