CVE-2024-4040: 
CrushFTP vulnerability analysis and mitigation

Summary

CrushFTP recently released version 11.1.0 and highlighted that earlier versions below 11.1.0 and 10.7.1 contain a vulnerability permitting users to escape their VFS and download system files. This security flaw was assigned CVE-2024-4040 on April 22, 2024. Users are advised to upgrade to the latest version of CrushFTP.

Technical details

The public advisory from CrushFTP describes the issue as a VFS sandbox escape that permits low-privileged remote attackers to read files beyond the intended limits of the VFS Sandbox in its file transfer software. Researchers further analyzed the vulnerability and concluded that it can be exploited without authentication and with minimal technical effort. According to their research, this vulnerability allows attackers not only to read files at the root level but also to bypass authentication mechanisms for administrator accounts and execute code remotely. Although officially recorded as an arbitrary file read, the vulnerability might be more accurately termed as a server-side template injection (SSTI). The vulnerability, CVE-2024-4040, has been observed being exploited in the wild.

Affected products

CrushFTP in versions before 10.7.1 and 11.0 before 11.1.0 are vulnerable to CVE-2024-4040.

Remediation

It is advised to upgrade to versions 10.7.1 or 11.1.0.

References

• CrushFTP advisory

• Rapid7 blog