Aperçu
CrushFTP contains a Virtual File System (VFS) sandbox escape vulnerability that allows remote attackers with low privileges to read files outside the restricted sandbox environment. The vulnerability exists due to insufficient sandbox restrictions in the file access mechanisms. La vulnérabilité a été divulguée le April 22, 2024. CISA a identifié CVE-2024-4040 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
CrushFTP implements a Virtual File System (VFS) layer to restrict user file access to designated sandbox directories. However, due to insufficient validation of file paths and access restrictions, remote authenticated users can bypass these sandbox restrictions and access files outside their intended directory boundaries. This is a path traversal vulnerability that breaks the fundamental security model of the VFS sandbox.
La vulnérabilité est classifiée comme CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) , CWE-269 (Improper Control of Resource Identifiers) etCWE-552 (Files or Directories Accessible to External Parties) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 7.1 (HIGH) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indiquant sa nature high.
Impact
Remote attackers with valid low-privilege credentials can read sensitive files outside their authorized sandbox directory. This could lead to disclosure of configuration files, private keys, credentials, source code, or other sensitive data stored on the system. While the vulnerability only allows reading files (no write/delete capability), the confidentiality impact is significant as attackers can enumerate and access any file readable by the CrushFTP service process.
Mitigation et contournements
Update CrushFTP to version 10.7.1 (for the 10.x series) or 11.1.0 (for the 11.x series) or later. The patched versions contain fixes for VFS sandbox restrictions that properly validate and restrict file paths. Download the latest version from the CrushFTP website and follow the standard update procedure for your operating system. Les versions suivantes incluent les correctifs nécessaires : CrushFTP 10.7.1, CrushFTP 11.1.0, Later versions.
Comme contournements temporaires : implement network-level access controls to restrict crushftp access to trusted networks only. use firewall rules to limit which ip addresses can connect to the crushftp server.; disable or remove user accounts that do not require active use. minimize the number of valid credentials in the system to reduce the attack surface.; run crushftp with minimal file system permissions. configure the service to run under a restricted user account with limited access to the file system. ensure the service process can only read files within intended sandbox directories at the os level., et monitor file access patterns and audit logs for unusual path traversal attempts or access to files outside designated directories..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
