Description
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-9910
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2025-9910 affects CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1. It allows for authentication bypass and takeover of the crushadmin account, which can lead to a full compromise of the system. The vulnerability is rated with a CVSS Base Score of 9.8, indicating a critical severity level. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) highlights the following characteristics:
- Attack Vector (AV:N): The vulnerability can be exploited remotely over the network.
- Attack Complexity (AC:L): The attack requires low complexity to exploit.
- Privileges Required (PR:N): No privileges are required to exploit the vulnerability.
- User Interaction (UI:N): No user interaction is required.
- Scope (S:U): The vulnerability affects the same security scope.
- Confidentiality (C:H): High impact on confidentiality.
- Integrity (I:H): High impact on integrity.
- Availability (A:H): High impact on availability.
2. Potential Attack Vectors and Exploitation Methods
The primary attack vector involves exploiting a race condition in the AWS4-HMAC authorization method of the HTTP component of the FTP server. The attack can be stabilized by sending a mangled AWS4-HMAC header, which triggers an index-out-of-bounds error and prevents session cleanup. This allows an attacker to authenticate as any known or guessable user, including the crushadmin account, leading to a full system compromise.
Exploitation Methods:
- Race Condition Exploitation: By exploiting the race condition, an attacker can bypass authentication.
- Mangled AWS4-HMAC Header: Sending a mangled header stabilizes the exploit, making it more reliable.
- Unauthenticated HTTP(S) Port Access: The vulnerability can be exploited over HTTP(S) ports without requiring authentication.
3. Affected Systems and Software Versions
The vulnerability affects the following versions of CrushFTP:
- CrushFTP 10 before 10.8.4
- CrushFTP 11 before 11.3.1
Systems running these versions are at risk, particularly if they are exposed to the internet without a DMZ proxy instance.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade Software: Upgrade to CrushFTP 10.8.4 or later, or CrushFTP 11.3.1 or later.
- Use DMZ Proxy: Implement a DMZ proxy instance to mitigate the risk of unauthenticated access.
Long-Term Mitigation:
- Network Segmentation: Segregate critical systems from public-facing networks.
- Regular Patching: Ensure regular updates and patches are applied to all software.
- Monitoring and Logging: Implement robust monitoring and logging to detect and respond to suspicious activities.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to organizations using CrushFTP within the European Union. Given the critical nature of the vulnerability, it could lead to data breaches, unauthorized access, and potential disruption of services. The widespread use of CrushFTP in various sectors, including finance, healthcare, and government, amplifies the potential impact.
6. Technical Details for Security Professionals
Vulnerability Details:
- Race Condition: The server verifies the existence of the user without requiring a password, leading to a race condition.
- Mangled Header: A mangled AWS4-HMAC header with only the username and a following slash (/) triggers an index-out-of-bounds error.
- Authentication Bypass: The vulnerability allows authentication as any known or guessable user, including administrative accounts.
Exploitation Steps:
- Identify Target: Identify a CrushFTP server running a vulnerable version.
- Send Mangled Header: Craft and send a mangled AWS4-HMAC header to the server.
- Authenticate: Authenticate as the crushadmin account or any other known user.
- Compromise System: Gain full control over the system, leading to potential data exfiltration, modification, or service disruption.
Detection and Response:
- Intrusion Detection Systems (IDS): Deploy IDS to detect unusual traffic patterns indicative of exploitation attempts.
- Log Analysis: Regularly analyze logs for unauthorized access attempts and successful authentications.
- Incident Response Plan: Develop and implement an incident response plan to quickly address any detected exploitation attempts.
References:
By addressing this vulnerability promptly and implementing robust security measures, organizations can mitigate the risk of exploitation and protect their critical systems and data.