On 10 August 2023, CrushFTP released an advisory regarding a vulnerability affecting versions of CrushFTP lower than 10.5.1. Since then, the vulnerability has been tracked as CVE-2023-43177 and the security researchers at Converge published a blog sharing their findings on 16 November.
CVE-2023-43177 is a mass assignment vulnerability related to how CrushFTP parses request headers for the AS2 protocol. Successful exploitation could lead to unauthenticated, remote code execution (RCE). According to Converge’s threat intelligence, threat actors have developed proof of concepts and future exploitation is likely.
Additionally on 16 November 2023, CrushFTP released an advisory on a new vulnerability affecting versions of CrushFTP lower than 10.5.5 which was responsibly disclosed to them by the UK NCSC. Exploitation could allow a threat actor that knows the admin username to gain access to the instance or a threat actor with a non-privileged account to gain unauthorised access to files which could allow the threat actor to login as a more privileged user.
CrushFTP states that this vulnerability is not known to be exploited in the wild and Arctic Wolf has not found any public proof of concept exploits at this time. Currently, the vulnerability has yet to be assigned a CVE number but CrushFTP states that is pending.
Recommendations for CVE-2023-43177
Recommendation #1: Upgrade to Fixed Version of CrushFTP
Arctic Wolf strongly recommends upgrading CrushFTP to the minimum safe version of 10.5.5. CrushFTP provides instructions on how to upgrade your CrushFTP instance here.
Product | Affected Version | CVE | Fixed Version |
CrushFTP | all versions lower than 10.5.5 | CVE pending | 10.5.5 and above |
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
Recommendation #2: Follow Converge’s Advice to Mitigate Against CVE-2023-43177
In Converge’s blog, they share further advice on how to secure CrushFTP servers. These include:
- Enabling automatic updates for CrushFTP
- Configuring the default password algorithm to BCrypt.
- Check for any newly created unauthorised accounts or recent password changes on existing accounts.
- Enable newly introduced Limited Server mode.