DIVD-2024-00015 - Remote Command Execution in CrushFTP
Our reference | DIVD-2024-00015 |
Case lead | Stan Plasmeijer |
Researcher(s) | |
CVE(s) | |
Products |
|
Versions |
|
Recommendation | CrushFTP recommends updating all versions within the v10 range to version v10.7.1. Additionally, all versions below v11.1.0 should be upgraded to v11.1.0. CrushFTP advises companies still using v9 to immediately upgrade to v11. |
Patch status | Released |
Status | Closed |
Last modified | 07 Aug 2024 13:53 CEST |
Summary
A vulnerability has been identified in CrushFTP, enabling unauthenticated malicious actors to bypass CrushFTP’s Virtual File System, granting them access to sensitive system files.
Although using a DMZ for CrushFTP provides partial protection, unauthenticated malicious actors can still access sensitive CrushFTP configuration files.
This vulnerability is present in the CrushFTP web interface. Therefore, if only the SFTP port is exposed to the internet, you are protected from this vulnerability. However, updating to the latest version is still recommended as a precautionary measure.
Recommendations
CrushFTP recommends upgrading to the latest available version. Users running versions in the v10 range are advised to update to V10.7.1. Alternatively, upgrading to v11.1.0 is also an option.
For those operating CrushFTP servers within the v11 range, updating to v11.1.0 is recommended.
If your CrushFTP version falls within the v9 range, it’s strongly recommended to upgrade immediately to v11.1.0. Enterprise customers of CrushFTP can reach out to CrushFTP for assistance with obtaining a license code.
What we are doing
DIVD is currently identifying vulnerable instances and notifying the owners of these systems.
Timeline
Date | Description |
---|---|
23 Apr 2024 | DIVD starts researching this vulnerability. |
23 Apr 2024 | DIVD found a way to fingerprint vulnerable devices |
23 Apr 2024 | DIVD starts scanning the internet for vulnerable instances |
23 Apr 2024 | Case opened, first version of this casefile |
23 Apr 2024 | DIVD starts notifying network owners with a vulnerable instance in their network |
07 May 2024 | DIVD rescans the internet for vulnerable instances |
07 May 2024 | DIVD starts notifying network owners with a vulnerable instance for the second time |
01 Jun 2024 | DIVD rescans the internet for vulnerable instances |
01 Jun 2024 | DIVD starts notifying network owners with a vulnerable instance for the third time |
01 Jun 2024 | Case closed |