This advisory is for organizations that use CrushFTP to facilitate file transfers across the organization. If your organization does not use this platform, this notification may be discarded.
Summary
On 4/19/2024, CrushFTP warned clients of a critical input validation vulnerability present in the CrushFTP platform which could allow an authenticated attacker with low privileges to exploit the vulnerability to escape the VFS (virtual file system) sandbox and download system files. Initially assigned a CVSSv3 score of 7.7, this has been elevated to CVSSv3 9.8.
It should be noted that initial reports indicated that if CrushFTP was behind a DMZ, then users would be protected, however as of April 22, CrushFTP has stated that a DMZ “does not fully protect you.”
CVE-2024-4040 – CrushFTP VFS Sandbox Escape Vulnerability
CVSSv3: 9.8
Affected Platforms
|
Affected Versions
|
Fixed Version
|
|
11.0.1
|
11.1.0
|
|
10.0.0 through 10.6.1
|
10.7.1
|
|
Below 10.0.0
|
Upgrade to 11.1.0
|
Mitigations
Apply patches as noted above.
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update&version=34
Additional Resources
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
https://www.tenable.com/blog/cve-2024-4040-crushftp-virtual-file-system-vfs-sandbox-escape-vulnerability-exploited
https://www.wiz.io/blog/crushftp-vfs-sandbox-vulnerability
