popup cross
Please enable JavaScript in your browser to complete this form.

See AccuKnox in Action

Meet our security experts to understand risk assessment in depth

Name
Checkbox Items

For information on how we comply with data privacy practices, please review our Privacy Policy.

search logo search cross
Get a demo

CrushFTP Under Attack: How AccuKnox Stops CVE-2024-4040 Exploitation

by Safeer Sathar | September 20, 2024

What is CrushFTP? CrushFTP is an enterprise-grade file transfer tool supporting FTP, SFTP, and FTPS protocols. Modern web-based FTP clients provide convenient access to remote servers directly from browsers. CVE-2024-4040, affecting CrushFTP versions before 10.7.1 and 11.1.0, is a critical vulnerability with a CVSS score of 9.8. It allows remote, low-privileged attackers to bypass the […]

Reading Time: 3 minutes

Table of Contents

What is CrushFTP?

CrushFTP is an enterprise-grade file transfer tool supporting FTP, SFTP, and FTPS protocols. Modern web-based FTP clients provide convenient access to remote servers directly from browsers.

CVE-2024-4040, affecting CrushFTP versions before 10.7.1 and 11.1.0, is a critical vulnerability with a CVSS score of 9.8. It allows remote, low-privileged attackers to bypass the VFS sandbox, read sensitive files, and execute arbitrary code via server-side template injection (SSTI). This flaw has been actively exploited in the wild.

This post demonstrates the CVE-2024-4040 exploitation and how AccuKnox Runtime Security can defend environments from such attacks.

Simulating the Attack in a Kubernetes Cluster

As you can see, a vulnerable version of CrushFTP is running on the Kubernetes cluster:

To exploit the CVE-2024-4040 vulnerability, we will use the exploitation proof-of-concept (PoC) script. You can find the PoC script and detailed instructions at this link.

python3 crushed.py -t http://localhost:30037 -l /etc/passwd

Exploitation

This will extract the sensitive file /etc/passwd from the CrushFTP server, showcasing the impact of CVE-2024-4040. You can view a demonstration of this process above. In the extracted response, after encountering the message “You need upload permissions to zip a file,” the details of the /etc/passwd file and other sensitive information become visible.

Impact of Exploitation on Kubernetes

If this attack is successful, the attacker can:

  • Gain Unauthenticated Remote Code Execution (RCE) within the container.
  • Escalate Privileges by leveraging other vulnerabilities in the system.
  • Lateral Movement across the Kubernetes cluster, targeting other pods or services.

In a Kubernetes environment, such an attack could expose sensitive data, disrupt services, or open doors for further attacks across the cloud infrastructure.

Defend with AccuKnox Runtime Security

AccuKnox Runtime Security is a runtime security enforcement tool for Kubernetes that can block unauthorized or malicious activity within containers. By integrating AccuKnox Runtime Security’s security policies, you can prevent exploitation attempts in real-time.

Now, let’s focus on how you can defend against this attack using AccuKnox Runtime Security’s security capabilities. Before that ensure AccuKnox runtime security is installed and configured on your Kubernetes cluster.

AccuKnox Runtime Security for Protection

In this defense strategy, we utilize AccuKnox Runtime Security to block unauthorized access to sensitive files and prevent exploitation in real-time.

Block Unauthorized File Access

In this step, we’ll be using an AccuKnox Runtime Security hardening policy to block unauthorized access to sensitive files like /etc/passwd. Here’s a screenshot showing how the policy looks in action:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: cve-2024-4040
  namespace: crushftp
spec:
  action: Block
  file:
    matchDirectories:
    - dir: /etc/ssh/
    matchPaths:
    - path: /etc/passwd
    - path: /etc/shadow
    - path: /var/log/auth.log
    - path: /var/log/wtmp
    - path: /var/run/utmp
  message: Access sensitive files detected
  selector:
    matchLabels:
      app: cve-2024-4040
  severity: 1

In the demonstration below, you can see how the file is accessed before applying AccuKnox Runtime Security policies. After the policies are in place, the same attempt to read /etc/passwd is blocked by AccuKnox Runtime Security, effectively preventing unauthorized access.

Exploitation and Defend

By utilizing AccuKnox Runtime Security, you enforce:

  • Granular Control over file access and execution within containers.
  • Real-Time Blocking of exploitation attempts without needing code changes.
  • Monitoring and Auditing of any unauthorized actions within the container, helping to detect and mitigate attacks early.

CVE-2024-4040 poses a serious risk and with AccuKnox Runtime Security, you can proactively defend your Kubernetes workloads. Applying runtime policies ensures that attacks are not just detected but actively blocked.

You can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.

Secure your workloads

side-banner Explore Marketplace

*No strings attached, limited period offer!

  • Schedule 1:1 Demo
  • Product Tour

On an average Zero Day Attacks cost $3.9M

why accuknox logo
Marketplace Icon

4+

Marketplace Listings

Regions Icon

7+

Regions

Compliance Icon

33+

Compliance Coverage

Integration Icon

37+

Integrations Support

founder-image

Stop attacks before they happen!

Total Exposed Attacks in 2024 Costed

~$1.95 Billion
Schedule 1:1 Demo

See interactive use cases in action

Experience easy to execute use cases; such as attack defences, risk assessment, and more.

Please enable JavaScript in your browser to complete this form.