Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise

Last updated at Fri, 26 Apr 2024 15:17:01 GMT

Rapid7 vulnerability researcher Ryan Emmons contributed to this blog.

On Friday, April 19, 2024, managed file transfer vendor CrushFTP released information to a private mailing list on a new zero-day vulnerability affecting versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions) across all platforms. No CVE was assigned by the vendor, but a third-party CVE Numbering Authority (CNA) assigned CVE-2024-4040 as of Monday, April 22. According to a public-facing vendor advisory, the vulnerability is ostensibly a VFS sandbox escape in CrushFTP managed file transfer software that allows “remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.”

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance. See Rapid7's full technical analysis of CVE-2024-4040 in AttackerKB for additional details.

Code that triggers the vulnerability is publicly available as of April 23. CVE-2024-4040 was added to the U.S. Cybersecurity and Infrastructure Agency's (CISA) Known Exploited Vulnerabilities (KEV) list on April 24.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI). CVE-2024-4040 was exploited in the wild as a zero-day vulnerability, per private customer communications from the vendor and a public Reddit post from security firm CrowdStrike. Using a query that looks for a specific JavaScript file in the web interface, there appear to be roughly 5,200 instances of CrushFTP exposed to the public internet.

Mitigation guidance

According to the advisory, CrushFTP versions below 11.1 are vulnerable to CVE-2024-4040. The following versions of CrushFTP are vulnerable as of April 23:

• All legacy CrushFTP 9 installations
• CrushFTP 10 before v10.7.1
• CrushFTP 11 before v11.1.0

The vulnerability has been patched in version 11.1.0 for the 11.x version stream, and in version 10.7.1 for the 10.x version stream. Our research team has validated that the vendor-supplied patch effectively remediates CVE-2024-4040.

The vendor advisory emphasizes the importance of updating to a fixed version of CrushFTP on an urgent basis. Rapid7 echoes this guidance, particularly given our team’s findings on the true impact of the issue, and urges organizations to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle to occur.

While the vendor guidance as of April 22 says that “customers using a DMZ in front of their main CrushFTP instance are partially protected,” it’s unclear whether this is actually an effective barrier to exploitation. Out of an abundance of caution, Rapid7 advises against relying on a DMZ as a mitigation strategy.

Detection challenges

During the course of vulnerability analysis, Rapid7 observed several factors that make it difficult to effectively detect exploitation of CVE-2024-4040. Payloads for CVE-2024-4040 can be delivered in many different forms. When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic. CrushFTP instances behind a standard reverse proxy, such as NGINX or Apache, are partially defended against these techniques, but our team has found that evasive tactics are still possible.

CrushFTP customers can harden their servers against administrator-level remote code execution attacks by enabling Limited Server mode with the most restrictive configuration possible. Organizations should also use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-4040 with an authenticated vulnerability check available in the April 24 content release. Customers can also use Query Builder (asset.software.product CONTAINS 'CrushFTP') or a Filtered Asset Search (Software Name contains CrushFTP) to find assets in their environment with CrushFTP installed.

InsightIDR and managed detection and response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability for both InsightIDR and Rapid7 MDR customers:

• Suspicious Web Request - Possible CrushFTP (CVE-2024-4040) Exploitation

Updates

April 23, 2024: Added Detection challenges section. Noted that our team tested the vendor-supplied patch and found that it successfully remediates CVE-2024-4040. Added detection rule deployed and alerting for InsightIDR and Rapid7 MDR customers. Added Query Builder information to assist InsightVM and Nexpose customers in identifying CrushFTP installations in their environments. Added link to Airbus CERT proof-of-concept code.

April 24, 2024: CVE-2024-4040 has been added to CISA KEV. A vulnerability check is now available to InsightVM and Nexpose customers. Rapid7's full technical analysis of CVE-2024-4040 is now available in AttackerKB.