Fixing CVE-2024-4040 in CrushFTP

The emergence of CVE-2024-4040, a critical vulnerability in CrushFTP servers, has prompted urgent action within the cyber security community.

By examining the technical details, mitigation strategies, and detection challenges associated with CVE-2024-4040, organizations can effectively protect their systems from potential exploitation.

Here’s everything you need to know.

What is CVE-2024-4040? 

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server 

Initially disclosed by CrushFTP on April 19, 2024, CVE-2024-4040 is a zero-day vulnerability affecting versions below 10.7.1 and 11.1.0 of CrushFTP, including legacy 9.x versions. Identified as a virtual file system (VFS) sandbox escape, the vulnerability permits remote attackers with low privileges to access files outside the intended limits of the VFS Sandbox.

Rapid7’s analysis reveals that the vulnerability is fully unauthenticated and enables not only arbitrary file read as root but also authentication bypass for administrator account access and full remote code execution. 

This critical flaw poses a severe risk, allowing attackers to potentially access and exfiltrate all files stored on the CrushFTP instance.

CrushFTP recommended using a front-end demilitarized zone (DMZ) server for partial protection, although it’s uncertain whether this fully mitigates the vulnerability.

Additionally, detecting exploitation of CVE-2024-4040 is challenging due to various payload delivery forms. 

Does CVE-2024-4040 affect me?

Organizations utilizing CrushFTP servers, particularly versions below 10.7.1 and 11.1.0, are vulnerable to CVE-2024-4040.

The severity of the impact is underscored by its inclusion in the U.S. Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities list.

Wiz.io’s research data reveals that approximately 1.7% of cloud environments have instances vulnerable to CVE-2024-4040, emphasizing the widespread risk posed by this vulnerability.

Has CVE-2024-4040 been actively exploited in the wild?

Yes, CVE-2024-4040 has been actively exploited in targeted attacks against organizations, as confirmed by private customer communications from CrushFTP and a public Reddit post from security firm CrowdStrike.

Code triggering the vulnerability became publicly available on April 23, further exacerbating the risk of exploitation. Rapid7’s detailed technical analysis and detection challenges underscore the urgent need for organizations to address this vulnerability promptly. 

How to fix CVE-2024-4040

Mitigating CVE-2024-4040 requires updating CrushFTP servers to the patched versions provided by the vendor. CrushFTP versions 9.x before 10.7.1 and 11.0 before 11.1.0 are vulnerable, while versions 10.7.1 and 11.1.0 contain patches for the vulnerability. It is important to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle.

Additionally, organizations can enhance defense measures by enabling Limited Server mode, using firewalls to restrict access, and leveraging detection capabilities provided by security solutions like InsightVM, Nexpose, InsightIDR, and managed detection and response (MDR) services. 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. 2023 Vulnerability watch reports 
2. The MITRE ATT&CK framework: Getting started
3. The true impact of exploitable vulnerabilities for 2024
4. Multi-cloud security challenges – a best practice guide
5. How to properly tackle zero-day threats