CVE-2023-43177: CrushFTP Zero-Day Vulnerability Threatens Thousands of Organizations

In the intricate web of cybersecurity, a new menace has surfaced, posing a significant threat to thousands of businesses relying on the CrushFTP server suite. One such vulnerability, CVE-2023-43177, recently emerged in the popular file transfer server CrushFTP, posing a significant threat to businesses and organizations that rely on it.

CrushFTP: A Multifaceted File Transfer Solution

CrushFTP, a multi-protocol, multi-platform file transfer server, has garnered popularity among businesses of all sizes due to its robust capabilities and ease of use. It supports a wide array of protocols, including FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV, and WebDAV SSL, enabling seamless file transfers between diverse devices and platforms.

The Unfolding Threat: A Zero-Day Vulnerability

In August 2023, Converge’s security researchers uncovered a critical unauthenticated zero-day vulnerability, CVE-2023-43177, affecting the CrushFTP enterprise suite. This vulnerability, with its vast attack surface encompassing approximately 10,000 public instances and an even larger number behind corporate firewalls, posed a significant threat to organizations relying on CrushFTP.

The Exploit’s Impact: Unfettered Access and Control

The vulnerability’s exploitation granted unauthenticated attackers unrestricted access to CrushFTP files, empowering them to execute arbitrary programs on the host server and even retrieve plain-text passwords. This level of control posed a severe risk to sensitive data and the overall security of compromised systems.

Understanding the Vulnerability: A Technical Deep Dive

The root cause of CVE-2023-43177 lies in an unauthenticated mass-assignment vulnerability. This critical flaw is rooted in how CrushFTP processes AS2 protocol request headers. An attacker, by manipulating the AS2 header parsing logic, can gain partial control over the Java Properties related to user information. This manipulation opens the door to arbitrary file read-and-delete capabilities on the host system, eventually spiraling into full system compromise and root-level remote code execution.

The Attack Chain: How Attackers Exploit the Vulnerability

Attack payloads for CVE-2023-43177 are ingeniously delivered through web headers directed at the CrushFTP web interface service, operational on ports like 80, 443, 8080, and 9090. A key header, “AS2-To,” is critical for the exploit. Notably, AS2 is a specialized feature; hence, any AS2-related activity on servers not configured for AS2 should raise immediate red flags as potential preludes to an attack.

Vulnerability Remediation and Hardening Measures

The CrushFTP development team promptly responded to the vulnerability disclosure, releasing a patch, CrushFTP version 10.5.2, to address the issue. However, the potential for exploitation remains, as threat actors have reportedly developed proof-of-concept exploits.

To safeguard their CrushFTP instances, organizations should prioritize timely patch applications and implement additional hardening measures. These measures include:

  1. Login to the web portal, browse the administrator dashboard and update to the latest version of CrushFTP.
  2. To ensure automatic future patching, administrators should set CrushFTP to the non-standard configuration of Auto-update for new security patches when idle.
  3. Configure the default password algorithm to Argon.
  4. Audit for any unauthorized new user accounts via the user management dashboard and recent application logs. Attackers also establish persistence by modifying passwords for existing accounts, so searching for recent password changes is necessary.
  5. The new hardened Limited Server mode, introduced by CrushFTP in response to Converge researcher feedback, should be enabled. This opt-in mode implements important security restrictions to harden your installation against any future exploitation attempts. The most restrictive configuration possible should be enabled after setting up Limited Server.