DIVD-2024-00015 - Remote Command Execution in CrushFTP

Our reference	DIVD-2024-00015
Case lead	Stan Plasmeijer
Researcher(s)	Stan Plasmeijer Ralph Horn Alwin Warringa Oscar Vlugt
CVE(s)	CVE-2024-4040
Products	CrushFTP
Versions	All versions below V10.7.1 and v11.1.0 are affected.
Recommendation	CrushFTP recommends updating all versions within the v10 range to version v10.7.1. Additionally, all versions below v11.1.0 should be upgraded to v11.1.0. CrushFTP advises companies still using v9 to immediately upgrade to v11.
Patch status	Released
Status	Open
Last modified	25 Apr 2024 18:52

Summary

A vulnerability has been identified in CrushFTP, enabling unauthenticated malicious actors to bypass CrushFTP’s Virtual File System, granting them access to sensitive system files.

Although using a DMZ for CrushFTP provides partial protection, unauthenticated malicious actors can still access sensitive CrushFTP configuration files.

This vulnerability is present in the CrushFTP web interface. Therefore, if only the SFTP port is exposed to the internet, you are protected from this vulnerability. However, updating to the latest version is still recommended as a precautionary measure.

Recommendations

CrushFTP recommends upgrading to the latest available version. For users running versions in the v10 range, it’s advised to update to V10.7.1. Alternatively, upgrading to v11.1.0 is also an option.

For those operating CrushFTP servers within the v11 range, updating to v11.1.0 is recommended.

If your CrushFTP version falls within the v9 range, it’s strongly recommended to upgrade immediately to v11.1.0. Enterprise customers of CrushFTP can reach out to CrushFTP for assistance with obtaining a license code.

What we are doing

DIVD is currently identifying vulnerable instances and notifying the owners of these systems.

Timeline

Date	Description
23 Apr 2024	DIVD starts researching this vulnerability.
23 Apr 2024	DIVD found a way to fingerprint vulnerable devices
23 Apr 2024	DIVD starts scanning the internet for vulnerable instances
23 Apr 2024	Case opened, first version of this casefile
23 Apr 2024	DIVD starts notifying network owners with a vulnerable instance in their network.

gantt title DIVD-2024-00015 - Remote Command Execution in CrushFTP dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00015 - Remote Command Execution in CrushFTP (still open) :2024-04-23, 2024-05-06 section Events DIVD starts researching this vulnerability. : milestone, 2024-04-23, 0d DIVD found a way to fingerprint vulnerable devices : milestone, 2024-04-23, 0d DIVD starts scanning the internet for vulnerable instances : milestone, 2024-04-23, 0d Case opened, first version of this casefile : milestone, 2024-04-23, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-04-23, 0d

More information

CrushFTP CVE-2024-4040