Overview
CrushFTP contains a Virtual File System (VFS) sandbox escape vulnerability that allows remote attackers with low privileges to read files outside the restricted sandbox environment. The vulnerability exists due to insufficient sandbox restrictions in the file access mechanisms. The vulnerability was disclosed on April 22, 2024. CISA has identified CVE-2024-4040 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
CrushFTP implements a Virtual File System (VFS) layer to restrict user file access to designated sandbox directories. However, due to insufficient validation of file paths and access restrictions, remote authenticated users can bypass these sandbox restrictions and access files outside their intended directory boundaries. This is a path traversal vulnerability that breaks the fundamental security model of the VFS sandbox.
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) , CWE-269 (Improper Control of Resource Identifiers) andCWE-552 (Files or Directories Accessible to External Parties) .
The vulnerability has received a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating its high nature.
Impact
Remote attackers with valid low-privilege credentials can read sensitive files outside their authorized sandbox directory. This could lead to disclosure of configuration files, private keys, credentials, source code, or other sensitive data stored on the system. While the vulnerability only allows reading files (no write/delete capability), the confidentiality impact is significant as attackers can enumerate and access any file readable by the CrushFTP service process.
Mitigation and workarounds
Update CrushFTP to version 10.7.1 (for the 10.x series) or 11.1.0 (for the 11.x series) or later. The patched versions contain fixes for VFS sandbox restrictions that properly validate and restrict file paths. Download the latest version from the CrushFTP website and follow the standard update procedure for your operating system. The following versions include the necessary fixes: CrushFTP 10.7.1, CrushFTP 11.1.0, Later versions.
As temporary workarounds: implement network-level access controls to restrict crushftp access to trusted networks only. use firewall rules to limit which ip addresses can connect to the crushftp server.; disable or remove user accounts that do not require active use. minimize the number of valid credentials in the system to reduce the attack surface.; run crushftp with minimal file system permissions. configure the service to run under a restricted user account with limited access to the file system. ensure the service process can only read files within intended sandbox directories at the os level., and monitor file access patterns and audit logs for unusual path traversal attempts or access to files outside designated directories..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
