CVE-2023-43177: Critical Unauthenticated RCE Vulnerability in CrushFTP

Share :

On 10 August 2023, CrushFTP released an advisory regarding a vulnerability affecting versions of CrushFTP lower than 10.5.1. Since then, the vulnerability has been tracked as CVE-2023-43177 and the security researchers at Converge published a blog sharing their findings on 16 November. 

CVE-2023-43177 is a mass assignment vulnerability related to how CrushFTP parses request headers for the AS2 protocol. Successful exploitation could lead to unauthenticated, remote code execution (RCE). According to Converge’s threat intelligence, threat actors have developed proof of concepts and future exploitation is likely. 

Additionally on 16 November 2023, CrushFTP released an advisory on a new vulnerability affecting versions of CrushFTP lower than 10.5.5 which was responsibly disclosed to them by the UK NCSC. Exploitation could allow a threat actor that knows the admin username to gain access to the instance or a threat actor with a non-privileged account to gain unauthorised access to files which could allow the threat actor to login as a more privileged user.

CrushFTP states that this vulnerability is not known to be exploited in the wild and Arctic Wolf has not found any public proof of concept exploits at this time. Currently, the vulnerability has yet to be assigned a CVE number but CrushFTP states that is pending. 

Recommendations for CVE-2023-43177

Recommendation #1: Upgrade to Fixed Version of CrushFTP

Arctic Wolf strongly recommends upgrading CrushFTP to the minimum safe version of 10.5.5. CrushFTP provides instructions on how to upgrade your CrushFTP instance here. 

Product  Affected Version  CVE  Fixed Version 
CrushFTP  all versions lower than 10.5.5  CVE pending  10.5.5 and above 

 

Please follow your organisation’s patching and testing guidelines to avoid any operational impact.  

Recommendation #2: Follow Converge’s Advice to Mitigate Against CVE-2023-43177

In Converge’s blog, they share further advice on how to secure CrushFTP servers. These include: 

  1. Enabling automatic updates for CrushFTP 
  2. Configuring the default password algorithm to BCrypt. 
  3. Check for any newly created unauthorised accounts or recent password changes on existing accounts. 
  4. Enable newly introduced Limited Server mode. 

References 

  1. CrushFTP Updates
  2. Converge’s Blog 
James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories