Remote File Read Vulnerability in VFS Sandbox
CVE-2024-4040
Key Information:
- Vendor
- Crushftp
- Status
- Crushftp
- Vendor
- CVE Published:
- 22 April 2024
Badges
What is CVE-2024-4040?
CVE-2024-4040 is a remote file read vulnerability discovered in the VFS Sandbox of CrushFTP, a file transfer server application used for secure file sharing and management. This vulnerability affects all versions of CrushFTP prior to 10.7.1 and 11.1.0 across all platforms. It allows unauthenticated remote attackers to bypass authentication mechanisms, read sensitive files from the server's filesystem, and potentially execute arbitrary code on the server. The implications of this vulnerability are significant, as it could lead to unauthorized access to sensitive data and complete server compromise, posing a serious risk to affected organizations.
Technical Details
CVE-2024-4040 is characterized as a server-side template injection vulnerability that arises when user inputs are improperly validated, enabling attackers to manipulate template processing. This flaw permits attackers to breach the security of the VFS Sandbox intended to contain file access. Consequently, this vulnerability allows them to read files outside of the restricted environment, leading to potential exposure of sensitive information. Furthermore, exploitation of this vulnerability can allow attackers to gain administrative privileges and execute remote code, which could facilitate ongoing access to the compromised server.
Impact of the Vulnerability
-
Unauthorized File Access: Attackers can exploit this vulnerability to access confidential files stored on the server, leading to data leaks that may include sensitive user information or proprietary company data.
-
Administrative Privilege Escalation: By bypassing authentication processes, attackers can gain administrative access to the CrushFTP server, allowing them to manipulate system settings and configurations, which may further facilitate their malicious activities.
-
Remote Code Execution: The vulnerability opens the door for remote code execution, enabling attackers to deploy malware on the server, potentially leading to the installation of backdoors, data destruction, or even serving as a launchpad for attacks on other systems within the network.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
CrushFTP 10.0
CrushFTP 10.0 < 10.7.1
CrushFTP 11.0 < 11.1.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
Critical auth bypass bug in CrushFTP now exploited in attacks
Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
3 days ago
CrushFTP warns users to patch unauthenticated access flaw immediately
CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately.
1 week ago
CVE-2024-4040 Detection: A Critical CrushFTP Zero-Day Vulnerability Exploited in the Wild Targeting U.S. Organizations - SOC Prime
Detect CVE-2024-4040 exploitation attempts, a new critical CrushFTP zero-day vulnerability, with a novel Sigma rule from SOC Prime Platform.
References
EPSS Score
94% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π°
Used in Ransomware
- π‘
Public PoC available
- π
Vulnerability started trending
- π¦
CISA Reported
- πΎ
Exploit known to exist
- π°
First article discovered by Tenable
Vulnerability published
Vulnerability Reserved