On April 19, 2024, CrushFTP, a managed file transfer vendor disclosed a 0day vulnerability in several versions of its software through a private mailing list. This severe vulnerability, identified as CVE-2024-4040 with a CVSS score of 9.8, was discovered by Simon Garrelou and assigned by a third-party CNA (DirectCyber) on April 22. The vulnerability affects versions prior to 10.7.1 and 11.1.0, including older 9.x versions. Initially and temporarily identified by Wiz as CVE-WIZ-003 before the official CVE assignment, CrushFTP described the vulnerability as one allowing remote attackers with limited privileges to bypass the VFS sandbox and access files outside their designated limits. However, researchers have since been able to exploit the vulnerability to achieve unauthenticated remote code execution, demonstrating that the flaw is more severe than initially described, and thereby raising its CVSS score from 7.7 to 9.8. As the vulnerability has been observed being exploited in the wild, users are strongly advised to update to the patched versions to secure their systems.
What is CVE-2024-4040?
The public advisory from CrushFTP describes CVE-2024-4040 as a VFS sandbox escape that permits low-privileged remote attackers to read files beyond the intended limits of the VFS Sandbox in its file transfer software. Researchers further analyzed the vulnerability and concluded that it can be exploited without authentication and with minimal technical effort, allowing attackers not only to read files at the root level but also to bypass authentication mechanisms for administrator accounts and execute code remotely. Although officially recorded as an arbitrary file read, the vulnerability might be more accurately termed as a server-side template injection (SSTI). The vulnerability has also been observed being exploited in the wild by threat actors.
It is important to note that the CVE is only exploitable from the web interface port, so setups that only expose the SFTP port are considered safe.
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data, 1.7% of cloud environments have instances vulnerable to CVE-2024-4040, and about 0.4% of environments have instances using CrushFTP exposed to the internet.
What sort of exploitation has been identified in the wild?
Researchers have observed exploitation attempts in the wild and a proof of concept has been published that demonstrates sandbox escape.
Which products are affected?
CrushFTP in versions 9.x before 10.7.1 and 11.0 before 11.1.0 are vulnerable to CVE-2024-4040.
Which actions should security teams take?
It is advised to upgrade to versions 10.7.1 or 11.1.0. In early versions of CrushFTP’s advisory it was mentioned that using a DMZ could protect users from exploitation, but this guidance has since been retracted.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
