Virtual file transfer system provider CrushFTP and various security researchers are raising the alarm about a escape from the sandbox flaw in the CrushFTP server that attackers have already exploited as a zero-day in attacks against organizations in the United States.
CrushFTP is a multi-protocol, cross-platform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in CrushFTP file transfer server version 11.1. The company presented e fixed the defect on April 19 with the release of version 11.1.0 of the product; However, several reports have already surfaced of threat actors hammering away at the flaw with an existing exploit.
These potentially “politically motivated” attacks were targeted by nature at intelligence gathering and detected at various US entities, according to Crowdstrike threat hunters Falcon OverWatch and Falcon Intelligence, which posted a notice on Reddit.
A developing attack scenario for cloud file transfer
The attack scenario is developing, with new research from Tenable published on April 23 identifying more than 7,100 CrushFTP servers accessible to the public “based on a Shodan query in a Nuclei model created by h4sh,” according to the report. However, “it is unclear how many of these systems are potentially vulnerable,” Satnam Narang, a senior research engineer at Tenable, noted in the post.
Given this, attacks are likely to continue on unpatched servers a proof-of-concept (PoC) exploit. as the flaw is now publicly available, posted on April 23 on GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of the Airbus Community Emergency Response Team (CERT), Narang added.
Other attackers also aim to take advantage of all the attention on the flaw by targeting users with fake PoCs, Narang wrote, pointing out that there is already a repository posted on GitHub that directs users to a third-party site called SatoshiDisk , which demands a payment of 0.00735 bitcoin (about $513) for an alleged exploit.
“The exploit code is unlikely to work and we do not expect it to be malicious in nature,” Narang wrote. “Instead, attackers are more likely to seek to profit from interest in exploit code for this vulnerability.”
CVE-2024-4040: Potential for RCE
The vulnerability described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape server access virtual file system (VFS) sandbox to access and download system files.
However, there is evidence that the flaw is more serious than has been reported so far, Rapid7 researchers noted in a blog post published on April 23.
“Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes it can be more accurately classified as a server-side template injection (SSTI),” Caitlin Condon, director of vulnerability intelligence at Rapid7, wrote in the post.
CVE-2024-4040 is a “completely unauthenticated flaw” and is easy to exploit; successful exploitation it allows not only arbitrary reading of files as root, but also bypassing authentication for administrator account access and full remote code execution (RCE), he noted.
“A successful exploit allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance,” Condon wrote.
Exploit code available
The PoC exploit published by Garrelou includes two scripts. The first, scan_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.
“If successful, the script writes Vulnerable to standard output and returns with exit code 1,” according to Garrelou. “If exploitation of the vulnerability fails, the script writes Not Vulnerable and exits with status code 0.”
The second script, scan_logs.py, looks for indicators of compromise in the CrushFTP server installation directory, and once found, will attempt to extract the IP that attempted to exploit the server.
Apply the patch now for complete protection
The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, both the company and security researchers advised.
Customers using a front end Demilitarized Zone (DMZ) server. to process protocols and connections in front of their main CrushFTP instance, according to CrushFTP partial protection from exploits is guaranteed thanks to the protocol translation system used in the DMZ.
“A DMZ, however, does not protect you completely and you should update it immediately,” the company advised clients in its consultancy. One of the factors that complicates an organization’s detection of CVE-2024-4040 exploitation is that payloads “can be delivered in many different forms,” noted Rapid7’s Condon.
“When certain evasive techniques are exploited, payloads will be obscured from logs and request history, and malicious requests will be difficult to distinguish from legitimate traffic,” he wrote.
For this reason, Rapid7 recommends CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Restricted Server mode with the most restrictive configuration possible. Condon added that they should also use firewalls, where possible, to aggressively limit the IP addresses allowed to access CrushFTP services.