Vulnerabilities

CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability

Written by Critical Insight | Apr 24, 2024 7:56:47 PM

This advisory is for organizations that use CrushFTP to facilitate file transfers across the organization.  If your organization does not use this platform, this notification may be discarded. 

 

Summary

On 4/19/2024, CrushFTP warned clients of a critical input validation vulnerability present in the CrushFTP platform which could allow an authenticated attacker with low privileges to exploit the vulnerability to escape the VFS (virtual file system) sandbox and download system files.  Initially assigned a CVSSv3 score of 7.7, this has been elevated to CVSSv3 9.8.

 

It should be noted that initial reports indicated that if CrushFTP was behind a DMZ, then users would be protected, however as of April 22, CrushFTP has stated that a DMZ “does not fully protect you.”

 

CVE-2024-4040 – CrushFTP VFS Sandbox Escape Vulnerability

                CVSSv3: 9.8

               

Affected Platforms

Affected Versions

Fixed Version

11.0.1

11.1.0

10.0.0 through 10.6.1

10.7.1

Below 10.0.0

Upgrade to 11.1.0

 

Mitigations

Apply patches as noted above.

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update&version=34

 

Additional Resources

https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/

https://www.tenable.com/blog/cve-2024-4040-crushftp-virtual-file-system-vfs-sandbox-escape-vulnerability-exploited

https://www.wiz.io/blog/crushftp-vfs-sandbox-vulnerability