AccuKnox is the best example of how to achieve NIST & MITRE conformance out-of-the-box. The team has done a great job of simplifying security concepts ....
CrushFTP Under Attack: How AccuKnox Stops CVE-2024-4040 Exploitation
What is CrushFTP? CrushFTP is an enterprise-grade file transfer tool supporting FTP, SFTP, and FTPS protocols. Modern web-based FTP clients provide convenient access to remote servers directly from browsers. CVE-2024-4040, affecting CrushFTP versions before 10.7.1 and 11.1.0, is a critical vulnerability with a CVSS score of 9.8. It allows remote, low-privileged attackers to bypass the […]
Reading Time: 3 minutes
Table of Contents
What is CrushFTP?
CrushFTP is an enterprise-grade file transfer tool supporting FTP, SFTP, and FTPS protocols. Modern web-based FTP clients provide convenient access to remote servers directly from browsers.
CVE-2024-4040, affecting CrushFTP versions before 10.7.1 and 11.1.0, is a critical vulnerability with a CVSS score of 9.8. It allows remote, low-privileged attackers to bypass the VFS sandbox, read sensitive files, and execute arbitrary code via server-side template injection (SSTI). This flaw has been actively exploited in the wild.
This post demonstrates the CVE-2024-4040 exploitation and how AccuKnox Runtime Security can defend environments from such attacks.
Simulating the Attack in a Kubernetes Cluster
As you can see, a vulnerable version of CrushFTP is running on the Kubernetes cluster:
To exploit the CVE-2024-4040 vulnerability, we will use the exploitation proof-of-concept (PoC) script. You can find the PoC script and detailed instructions at this link.
Exploitation
This will extract the sensitive file /etc/passwd from the CrushFTP server, showcasing the impact of CVE-2024-4040. You can view a demonstration of this process above. In the extracted response, after encountering the message “You need upload permissions to zip a file,” the details of the /etc/passwd file and other sensitive information become visible.
Impact of Exploitation on Kubernetes
If this attack is successful, the attacker can:
- Gain Unauthenticated Remote Code Execution (RCE) within the container.
- Escalate Privileges by leveraging other vulnerabilities in the system.
- Lateral Movement across the Kubernetes cluster, targeting other pods or services.
In a Kubernetes environment, such an attack could expose sensitive data, disrupt services, or open doors for further attacks across the cloud infrastructure.
Defend with AccuKnox Runtime Security
AccuKnox Runtime Security is a runtime security enforcement tool for Kubernetes that can block unauthorized or malicious activity within containers. By integrating AccuKnox Runtime Security’s security policies, you can prevent exploitation attempts in real-time.
Now, let’s focus on how you can defend against this attack using AccuKnox Runtime Security’s security capabilities. Before that ensure AccuKnox runtime security is installed and configured on your Kubernetes cluster.
AccuKnox Runtime Security for Protection
In this defense strategy, we utilize AccuKnox Runtime Security to block unauthorized access to sensitive files and prevent exploitation in real-time.
Block Unauthorized File Access
In this step, we’ll be using an AccuKnox Runtime Security hardening policy to block unauthorized access to sensitive files like /etc/passwd. Here’s a screenshot showing how the policy looks in action:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: cve-2024-4040 namespace: crushftp spec: action: Block file: matchDirectories: - dir: /etc/ssh/ matchPaths: - path: /etc/passwd - path: /etc/shadow - path: /var/log/auth.log - path: /var/log/wtmp - path: /var/run/utmp message: Access sensitive files detected selector: matchLabels: app: cve-2024-4040 severity: 1
In the demonstration below, you can see how the file is accessed before applying AccuKnox Runtime Security policies. After the policies are in place, the same attempt to read /etc/passwd is blocked by AccuKnox Runtime Security, effectively preventing unauthorized access.
Exploitation and Defend
By utilizing AccuKnox Runtime Security, you enforce:
- Granular Control over file access and execution within containers.
- Real-Time Blocking of exploitation attempts without needing code changes.
- Monitoring and Auditing of any unauthorized actions within the container, helping to detect and mitigate attacks early.
CVE-2024-4040 poses a serious risk and with AccuKnox Runtime Security, you can proactively defend your Kubernetes workloads. Applying runtime policies ensures that attacks are not just detected but actively blocked.
You can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.
Let us know if you are seeking additional guidance in planning your cloud security program.
- Schedule 1:1 Demo
- Product Tour
On an average Zero Day Attacks cost $3.9M
4+
Marketplace Listings
7+
Regions
33+
Compliance Coverage
37+
Integrations Support
