Rapid7 vulnerability researcher Ryan Emmons contributed to this blog.

On Friday, April 19, 2024, managed file transfer vendor CrushFTP released information to a private mailing list on a new zero-day vulnerability affecting versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions) across all platforms. No CVE was assigned by the vendor, but a third-party CVE Numbering Authority (CNA) assigned CVE-2024-4040 as of Monday, April 22. According to a public-facing vendor advisory, the vulnerability is ostensibly a VFS sandbox escape in CrushFTP managed file transfer software that allows “remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.”

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance. See Rapid7's full technical analysis of CVE-2024-4040 in AttackerKB for additional details.

Code that triggers the vulnerability is publicly available as of April 23. CVE-2024-4040 was added to the U.S. Cybersecurity and Infrastructure Agency's (CISA) Known Exploited Vulnerabilities (KEV) list on April 24.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI). CVE-2024-4040 was exploited in the wild as a zero-day vulnerability, per private customer communications from the vendor and a public Reddit post from security firm CrowdStrike. Using a query that looks for a specific JavaScript file in the web interface, there appear to be roughly 5,200 instances of CrushFTP exposed to the public internet.

Mitigation guidance

According to the advisory, CrushFTP versions below 11.1 are vulnerable to CVE-2024-4040. The following versions of CrushFTP are vulnerable as of April 23:

• All legacy CrushFTP 9 installations
• CrushFTP 10 before v10.7.1
• CrushFTP 11 before v11.1.0

The vulnerability has been patched in version 11.1.0 for the 11.x version stream, and in version 10.7.1 for the 10.x version stream. Our research team has validated that the vendor-supplied patch effectively remediates CVE-2024-4040.

The vendor advisory emphasizes the importance of updating to a fixed version of CrushFTP on an urgent basis. Rapid7 echoes this guidance, particularly given our team’s findings on the true impact of the issue, and urges organizations to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle to occur.

While the vendor guidance as of April 22 says that “customers using a DMZ in front of their main CrushFTP instance are partially protected,” it’s unclear whether this is actually an effective barrier to exploitation. Out of an abundance of caution, Rapid7 advises against relying on a DMZ as a mitigation strategy.

Detection challenges

During the course of vulnerability analysis, Rapid7 observed several factors that make it difficult to effectively detect exploitation of CVE-2024-4040. Payloads for CVE-2024-4040 can be delivered in many different forms. When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic. CrushFTP instances behind a standard reverse proxy, such as NGINX or Apache, are partially defended against these techniques, but our team has found that evasive tactics are still possible.

CrushFTP customers can harden their servers against administrator-level remote code execution attacks by enabling Limited Server mode with the most restrictive configuration possible. Organizations should also use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-4040 with an authenticated vulnerability check available in the April 24 content release. Customers can also use Query Builder (asset.software.product CONTAINS 'CrushFTP') or a Filtered Asset Search (Software Name contains CrushFTP) to find assets in their environment with CrushFTP installed.

InsightIDR and managed detection and response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability for both InsightIDR and Rapid7 MDR customers:

• Suspicious Web Request - Possible CrushFTP (CVE-2024-4040) Exploitation

Updates

April 23, 2024: Added Detection challenges section. Noted that our team tested the vendor-supplied patch and found that it successfully remediates CVE-2024-4040. Added detection rule deployed and alerting for InsightIDR and Rapid7 MDR customers. Added Query Builder information to assist InsightVM and Nexpose customers in identifying CrushFTP installations in their environments. Added link to Airbus CERT proof-of-concept code.

April 24, 2024: CVE-2024-4040 has been added to CISA KEV. A vulnerability check is now available to InsightVM and Nexpose customers. Rapid7's full technical analysis of CVE-2024-4040 is now available in AttackerKB.

On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 zero-day vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Patches are available for some versions as of Sunday, April 14, 2024.

Note: Initially, Palo Alto Networks's advisory indicated that customers were only vulnerable if they were using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway (or GlobalProtect portal) and device telemetry enabled. As of Tuesday, April 16, the advisory has been updated to say, "Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating. Palo Alto Networks has released an in-depth blog on the scope of the attack, indicators of compromise, and adversary behavior observations. We highly recommend reviewing it. Security firm Volexity, who discovered the zero-day vulnerability, also has a blog available here with extensive analysis, indicators of compromise, and observed attacker behavior.

Mitigation guidance

CVE-2024-3400 was unpatched at time of disclosure, but patches are available for some versions of PAN-OS as of Sunday, April 14. CVE-2024-3400 affects the following versions of PAN-OS when GlobalProtect (gateway or portal) is enabled:

• PAN-OS 11.1 (before 11.1.2-h3)
• PAN-OS 11.0 (before 11.0.4-h1)
• PAN-OS 10.2 (before 10.2.7-h8, before 10.2.8-h3, before 10.2.9-h1)
• Additional versions have been added to the advisory since initial publication

The vendor has updated their advisory as of April 16 to note that device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Palo Alto Networks’ Cloud NGFW and Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1, and 9.0).

Important: Palo Alto Networks has been continually updating their advisory, which now has an extensive list of affected versions and when fixes are expected. For additional information and the latest remediation guidance, please refer to the vendor advisory as the source of truth.

Patches for the CVE-2024-3400 were released on Sunday, April 14. Rapid7 recommends applying the vendor-provided patch immediately, without waiting for a typical patch cycle to occur. If you are unable to patch, apply one of the below vendor-provided mitigations:

• Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here.
• Note: While disabling device telemetry was initially mentioned as a temporary workaround, Palo Alto Networks has said as of April 16 that disabling device telemetry is no longer an effective mitigation.

Palo Alto Networks has a knowledge base article here with their recommended steps for remediating exploited devices. We also recommend reviewing indicators of compromise in Palo Alto Networks's blog and Volexity's blog.

Rapid7 customers

Authenticated vulnerability checks are available to InsightVM and Nexpose customers as of the Friday, April 12 content release. Since the vendor added more vulnerable versions to their advisory after it was originally published, our engineering team has updated our vulnerability checks as of the Wednesday, April 17 content release to be able to detect additional vulnerable versions of PAN-OS.

Per the vendor advisory, organizations that are running vulnerable firewalls and are concerned about potential exploitation in their environments can open a support case with Palo Alto Networks to determine if their device logs match known indicators of compromise (IoCs) for this vulnerability.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability:

• Attacker Technique - NTDS File Access
• Attacker Technique: Renamed AnyDesk Binary in Non-Standard Location
• Attacker Technique: Renamed EWSProxy in Non-Standard Location
• Attacker Technique: Renamed AvastBrowserUpdate in Non-Standard Location
• Attacker Tool - Unknown Raw File Copy Utility For Credential Dumping
• Credential Access - Copying Credential Files with Esenutil
• Suspicious Process: A Single Character Executable in Root Intel Directory
• Suspicious Process - Avast Executable NOT in Program Files directory

Updates

Friday, April 12, 2024: Updated with link to Volexity blog on exploitation in the wild and indicators of compromise and Palo Alto Networks blog on the incident. Updated to note availability of VM content.

Monday, April 15, 2024: Updated to note that patches were available Sunday, April 14. Updated to note that GlobalProtect portal is also a vulnerable configuration (in addition to GlobalProtect gateway).

Tuesday, April 16, 2024: Added more vulnerable versions of the PAN-OS 10.2.x version stream per the updated vendor advisory. Patches are available for some versions, but not all, as of April 16. The advisory has ETAs on in-flight fixes. Rapid7 vulnerability checks will be updated on April 17 to detect newly listed vulnerable versions of PAN-OS.

Tuesday, April 16, 2024: Updated to note that disabling device telemetry is no longer considered an effective mitigation; Palo Alto Networks has now indicated that "device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."

Wednesday, April 17, 2024: For InsightVM and Nexpose customers, vulnerability checks have been updated to detect additional vulnerable versions of PAN-OS. See the vendor advisory for the latest information.

Monday, April 22, 2024: Added list of (non-exhaustive) detection rules alerting for InsightIDR and Rapid7 MDR customers.

Monday, April 29, 2024: Added link to Palo Alto Networks KB article with recommendations on remediating exploited devices at different levels of compromise the vendor has defined.