Very High
CVE-2023-43177
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2023-43177
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
CVE-2023-43177: Critical Unauthenticated Remote Code Execution in CrushFTP
Overview:
CVE-2023-43177 is a critical vulnerability disclosed in August 2023, affecting CrushFTP servers prior to version 10.5.1. This vulnerability enables unauthenticated attackers to achieve remote code execution (RCE) on affected systems, leading to complete compromise.
Technical Details:
The vulnerability stems from an unauthenticated mass assignment flaw in how CrushFTP parses AS2 protocol headers. An attacker can manipulate these headers to gain arbitrary file read-and-delete access on the server’s file system. By chaining this with other techniques, they can escalate privileges and execute arbitrary code with the permissions of the CrushFTP server process, typically resulting in root access.
Severity and Risk:
This vulnerability has been assigned a CVSS v3.1 base score of 9.8, classifying it as Critical. This high severity is due to:
No Authentication Required: Exploitation does not require any valid user credentials.
Remote Exploitation: The attack can be launched remotely over the network.
Full System Compromise: Successful exploitation leads to complete control of the affected server.
Attacker Value and Exploitability Assessment:
Based on a personal assessment, this vulnerability is rated as having high attacker value due to the potential for complete system compromise and the wide range of sensitive data that may be stored on file transfer servers. Additionally, the availability of public exploits and the straightforward exploitation process contribute to its easy exploitability.
Verified Active Exploitation:
While concrete public disclosures of widespread attacks are limited, several indicators point to active exploitation attempts:
Proof-of-Concept Exploits: Public PoC exploits exist, lowering the barrier to entry for attackers.
Security Advisories: Multiple cybersecurity firms have issued advisories warning of active scanning and potential exploitation.
Converge: https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
Arctic Wolf: https://arcticwolf.com/resources/blog/cve-2023-43177/
Metasploit Module: A Metasploit module for exploiting CVE-2023-43177 is available, making the attack more accessible to a wider range of threat actors.
Mitigation and Recommendations:
Patch Immediately: Upgrade to CrushFTP version 10.5.1 or later.
Monitor for Exploitation: Review server logs for unusual AS2 activity or unauthorized file access.
Temporary Workarounds (if patching is not possible):
Disable AS2 functionality.
Implement a web application firewall (WAF) with specific rules to block exploit attempts.
Conclusion:
CVE-2023-43177 poses a severe risk to organizations using CrushFTP due to its high attacker value, easy exploitability, and evidence of active exploitation attempts. Immediate patching and additional security measures are crucial for mitigating this ongoing threat.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- crushftp
Products
- crushftp
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: