Remote File Read Vulnerability in VFS Sandbox

CVE-2024-4040

10CRITICAL

Key Information

Vendor
Crushftp
Status
Crushftp
Vendor
CVE Published:
22 April 2024

Badges

😄 Trended👾 Exploit Exists🔴 Public PoC🟣 EPSS 96%📰 News Worthy

What is CVE-2024-4040?

CVE-2024-4040 is a remote file read vulnerability discovered in the VFS Sandbox of CrushFTP, a file transfer server application used for secure file sharing and management. This vulnerability affects all versions of CrushFTP prior to 10.7.1 and 11.1.0 across all platforms. It allows unauthenticated remote attackers to bypass authentication mechanisms, read sensitive files from the server's filesystem, and potentially execute arbitrary code on the server. The implications of this vulnerability are significant, as it could lead to unauthorized access to sensitive data and complete server compromise, posing a serious risk to affected organizations.

Technical Details

CVE-2024-4040 is characterized as a server-side template injection vulnerability that arises when user inputs are improperly validated, enabling attackers to manipulate template processing. This flaw permits attackers to breach the security of the VFS Sandbox intended to contain file access. Consequently, this vulnerability allows them to read files outside of the restricted environment, leading to potential exposure of sensitive information. Furthermore, exploitation of this vulnerability can allow attackers to gain administrative privileges and execute remote code, which could facilitate ongoing access to the compromised server.

Impact of the Vulnerability

  1. Unauthorized File Access: Attackers can exploit this vulnerability to access confidential files stored on the server, leading to data leaks that may include sensitive user information or proprietary company data.

  2. Administrative Privilege Escalation: By bypassing authentication processes, attackers can gain administrative access to the CrushFTP server, allowing them to manipulate system settings and configurations, which may further facilitate their malicious activities.

  3. Remote Code Execution: The vulnerability opens the door for remote code execution, enabling attackers to deploy malware on the server, potentially leading to the installation of backdoors, data destruction, or even serving as a launchpad for attacks on other systems within the network.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-4040 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

CrushFTP <= 10.0

CrushFTP < 10.7.1

CrushFTP < 11.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CVE-2024-4040 Detection: A Critical CrushFTP Zero-Day Vulnerability Exploited in the Wild Targeting U.S. Organizations - SOC Prime

Detect CVE-2024-4040 exploitation attempts, a new critical CrushFTP zero-day vulnerability, with a novel Sigma rule from SOC Prime Platform.

8 months ago

CrushFTP Zero-Day Exploitation Due to CVE-2024-4040 | Qualys Security Blog

CrushFTP disclosed a zero-day vulnerability in their software on April 19, 2024. The vulnerability is published on CVE-2024-4040. Affected versions: The CVSS…

8 months ago

+1,400 CrushFTP servers vulnerable to CVE-2024-4040

Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability.

8 months ago

Refferences

EPSS Score

96% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🔴

    Public PoC available

  • Vulnerability started trending

  • CISA Reported

  • 👾

    Exploit known to exist

  • First article discovered by Tenable

  • Vulnerability Reserved

  • Vulnerability published

Collectors

NVD DatabaseMitre DatabaseCISA Database5 Proof of Concept(s)10 News Article(s)

Credit

Simon Garrelou, of Airbus CERT
.