CVE-2023-43177: Critical Unauthenticated Remote Code Execution in CrushFTP

Overview:

CVE-2023-43177 is a critical vulnerability disclosed in August 2023, affecting CrushFTP servers prior to version 10.5.1. This vulnerability enables unauthenticated attackers to achieve remote code execution (RCE) on affected systems, leading to complete compromise.

Technical Details:

The vulnerability stems from an unauthenticated mass assignment flaw in how CrushFTP parses AS2 protocol headers. An attacker can manipulate these headers to gain arbitrary file read-and-delete access on the server’s file system. By chaining this with other techniques, they can escalate privileges and execute arbitrary code with the permissions of the CrushFTP server process, typically resulting in root access.

Severity and Risk:

This vulnerability has been assigned a CVSS v3.1 base score of 9.8, classifying it as Critical. This high severity is due to:

No Authentication Required: Exploitation does not require any valid user credentials.
Remote Exploitation: The attack can be launched remotely over the network.
Full System Compromise: Successful exploitation leads to complete control of the affected server.
Attacker Value and Exploitability Assessment:

Based on a personal assessment, this vulnerability is rated as having high attacker value due to the potential for complete system compromise and the wide range of sensitive data that may be stored on file transfer servers. Additionally, the availability of public exploits and the straightforward exploitation process contribute to its easy exploitability.

Verified Active Exploitation:

While concrete public disclosures of widespread attacks are limited, several indicators point to active exploitation attempts:

Proof-of-Concept Exploits: Public PoC exploits exist, lowering the barrier to entry for attackers.
Security Advisories: Multiple cybersecurity firms have issued advisories warning of active scanning and potential exploitation.
Converge: https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
Arctic Wolf: https://arcticwolf.com/resources/blog/cve-2023-43177/
Metasploit Module: A Metasploit module for exploiting CVE-2023-43177 is available, making the attack more accessible to a wider range of threat actors.
Mitigation and Recommendations:

Patch Immediately: Upgrade to CrushFTP version 10.5.1 or later.
Monitor for Exploitation: Review server logs for unusual AS2 activity or unauthorized file access.
Temporary Workarounds (if patching is not possible):
Disable AS2 functionality.
Implement a web application firewall (WAF) with specific rules to block exploit attempts.
Conclusion:

CVE-2023-43177 poses a severe risk to organizations using CrushFTP due to its high attacker value, easy exploitability, and evidence of active exploitation attempts. Immediate patching and additional security measures are crucial for mitigating this ongoing threat.