November 18, 2023 at 10:32PM
A proof-of-concept exploit for a critical remote code execution vulnerability in CrushFTP has been publicly released. Attackers can access files, execute code, and obtain passwords. The developers released a fix in CrushFTP 10.5.2, but applying the patches may not protect against all threats. Users should update to the latest version, enable automatic security patch updates, change the password algorithm, audit for unauthorized users, and activate Limited Server mode. Additional security measures include using a limited privilege operating system account, deploying a reverse proxy, and setting firewall rules. Immediate action is necessary to prevent opportunistic attacks.
Summary:
– A critical remote code execution vulnerability (CVE-2023-43177) has been discovered in the CrushFTP enterprise suite.
– The vulnerability allows unauthenticated attackers to access files, execute code, and obtain plain-text passwords.
– Converge security researchers discovered the vulnerability and responsibly reported it to the vendor.
– The developers have released a fix in CrushFTP 10.5.2.
– Converge has published a proof-of-concept exploit for the vulnerability, urging users to install security updates immediately.
– The exploit leverages an unauthenticated mass-assignment vulnerability to control user session properties.
– Attackers can read and delete files, gain complete system control, and achieve root-level remote code execution.
– The attackers can send payloads through web headers on specific ports, overwrite session data, and manipulate files.
– By exploiting the admin panel’s handling of SQL driver loading and database configuration testing, attackers can execute arbitrary Java code.
– There are approximately 10,000 public-facing CrushFTP instances, making the attack surface significant.
– Applying patches does not entirely secure CrushFTP endpoints against all possible threats.
– Steps to mitigate the risk include updating CrushFTP, enabling automatic security patch updates, changing the password algorithm, auditing for unauthorized users, and activating Limited Server mode.
– Additional measures for enhanced security include using a limited privilege operating system service account, deploying Nginx or Apache as a reverse proxy, and setting firewall rules to limit CrushFTP traffic to trusted IP ranges and hosts.