csaf_ncscnl - ncsc-2025-0101

ncsc-2025-0101

Vulnerability from csaf_ncscnl

Published

2025-04-01 07:47

Modified

2025-04-07 14:03

Summary

Kwetsbaarheid verholpen in CrushFTP

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

CrushFTP heeft een kwetsbaarheid verholpen in versies 10.0.0 tot 10.8.3 en 11.0.0 tot 11.3.0.

Interpretaties

De kwetsbaarheid stelt een kwaadwillende in staat om ongeauthenticeerde externe toegang te verkrijgen via HTTP-verzoeken, wat kan leiden tot ongeautoriseerde toegang. Systemen die gebruik maken van de DMZ Proxy instance van CrushFTP zijn niet kwetsbaar. Onderzoekers hebben de patch reverse-engineered en hebben een PoC kunnen bouwen waarmee de kwetsbaarheid kan worden aangetoond. Het NCSC ontvangt meldingen dat kwaadwillenden actief scannen naar kwetsbare systemen en dat compromittaties worden waargenomen. Eigenaren van een systeem dat gebruik maakt van CrushFTP kunnen detecteren of eventuele compromittatie heeft plaatsgevonden, door in de `session_logs` directory te controleren of externe toegang is verkregen op standaard accounts als `crushadmin` of `anonymous`. Logregels als voorbeeld zijn: ``` SESSION|03/27/2025 12:41:24.636|[HTTP:250_22299:crushadmin:REDACTED_ATTACKER_IP] WROTE: *230 Password OK. Connected.* SESSION|03/27/2025 12:41:24.636|[HTTP:250_22299:anonymous:REDACTED_ATTACKER_IP] WROTE: *230 Password OK. Connected.* ``` N.B.: Tijdens de initiële berichtenstroom was voor deze kwetsbaarheid nog geen CVE-id toegekend. Een niet-betrokken derde partij heeft een tijdelijk CVE-id toegekend in afwachting van de definitieve versie. Deze kwetsbaarheid is daarom ook onder CVE-2025-2825 bekend.

Oplossingen

CrushFTP heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-287

Improper Authentication

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "CrushFTP heeft een kwetsbaarheid verholpen in versies 10.0.0 tot 10.8.3 en 11.0.0 tot 11.3.0.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheid stelt een kwaadwillende in staat om ongeauthenticeerde externe toegang te verkrijgen via HTTP-verzoeken, wat kan leiden tot ongeautoriseerde toegang. Systemen die gebruik maken van de DMZ Proxy instance van CrushFTP zijn niet kwetsbaar.\n\nOnderzoekers hebben de patch reverse-engineered en hebben een PoC kunnen bouwen waarmee de kwetsbaarheid kan worden aangetoond.\n\nHet NCSC ontvangt meldingen dat kwaadwillenden actief scannen naar kwetsbare systemen en dat compromittaties worden waargenomen.\n\nEigenaren van een systeem dat gebruik maakt van CrushFTP kunnen detecteren of eventuele compromittatie heeft plaatsgevonden, door in de `session_logs` directory te controleren of externe toegang is verkregen op standaard accounts als `crushadmin` of `anonymous`. Logregels als voorbeeld zijn:\n\n```\nSESSION|03/27/2025 12:41:24.636|[HTTP:250_22299:crushadmin:REDACTED_ATTACKER_IP] WROTE: *230 Password OK.  Connected.*\n\nSESSION|03/27/2025 12:41:24.636|[HTTP:250_22299:anonymous:REDACTED_ATTACKER_IP] WROTE: *230 Password OK.  Connected.*\n```\n\nN.B.: Tijdens de initi\u00eble berichtenstroom was voor deze kwetsbaarheid nog geen CVE-id toegekend. Een niet-betrokken derde partij heeft een tijdelijk CVE-id toegekend in afwachting van de definitieve versie. Deze kwetsbaarheid is daarom ook onder CVE-2025-2825 bekend.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "CrushFTP heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Authentication",
        "title": "CWE-287"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - certbundde; cveprojectv5; nvd",
        "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.crushftp.com/version10.html"
      }
    ],
    "title": "Kwetsbaarheid verholpen in CrushFTP",
    "tracking": {
      "current_release_date": "2025-04-07T14:03:59.372671Z",
      "generator": {
        "date": "2025-02-25T15:15:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.0"
        }
      },
      "id": "NCSC-2025-0101",
      "initial_release_date": "2025-04-01T07:47:50.425419Z",
      "revision_history": [
        {
          "date": "2025-04-01T07:47:50.425419Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        },
        {
          "date": "2025-04-07T14:03:59.372671Z",
          "number": "1.0.1",
          "summary": "CVE-id vervangen voor officiele CVE-id voor deze kwetsbaarheid.\n\nOnderzoekers hebben PoC gepubliceerd."
        }
      ],
      "status": "final",
      "version": "1.0.1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:semver/10.0.0|\u003c10.8.4",
                "product": {
                  "name": "vers:semver/10.0.0|\u003c10.8.4",
                  "product_id": "CSAFPID-2566677"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:semver/11.0.0|\u003c11.3.1",
                "product": {
                  "name": "vers:semver/11.0.0|\u003c11.3.1",
                  "product_id": "CSAFPID-2566676"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003cv11.3.1",
                "product": {
                  "name": "vers:unknown/\u003cv11.3.1",
                  "product_id": "CSAFPID-2570442"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/v11",
                "product": {
                  "name": "vers:unknown/v11",
                  "product_id": "CSAFPID-2570443",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:crushftp:crushftp:v11"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "CrushFTP"
          }
        ],
        "category": "vendor",
        "name": "CrushFTP"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:unknown/10.3",
                    "product": {
                      "name": "vers:unknown/10.3",
                      "product_id": "CSAFPID-2577456"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:unknown/10.5.5",
                    "product": {
                      "name": "vers:unknown/10.5.5",
                      "product_id": "CSAFPID-2577459"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:unknown/10.6.1",
                    "product": {
                      "name": "vers:unknown/10.6.1",
                      "product_id": "CSAFPID-2577455"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:unknown/\u003e=10.0.0|\u003c10.8.4",
                    "product": {
                      "name": "vers:unknown/\u003e=10.0.0|\u003c10.8.4",
                      "product_id": "CSAFPID-2577457"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:unknown/\u003e=11.0.0|\u003c11.3.1",
                    "product": {
                      "name": "vers:unknown/\u003e=11.0.0|\u003c11.3.1",
                      "product_id": "CSAFPID-2577458"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Crushftp"
              }
            ],
            "category": "product_family",
            "name": "Crushftp"
          }
        ],
        "category": "vendor",
        "name": "Crushftp"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31161",
      "cwe": {
        "id": "CWE-305",
        "name": "Authentication Bypass by Primary Weakness"
      },
      "notes": [
        {
          "category": "other",
          "text": "Authentication Bypass by Primary Weakness",
          "title": "CWE-305"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2566677",
          "CSAFPID-2566676",
          "CSAFPID-2570442",
          "CSAFPID-2570443",
          "CSAFPID-2577456",
          "CSAFPID-2577459",
          "CSAFPID-2577455",
          "CSAFPID-2577457",
          "CSAFPID-2577458"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-31161",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-31161.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2566677",
            "CSAFPID-2566676",
            "CSAFPID-2570442",
            "CSAFPID-2570443",
            "CSAFPID-2577456",
            "CSAFPID-2577459",
            "CSAFPID-2577455",
            "CSAFPID-2577457",
            "CSAFPID-2577458"
          ]
        }
      ],
      "title": "CVE-2025-31161"
    }
  ]
}

CVE-2025-31161 (GCVE-0-2025-31161)

Vulnerability from cvelistv5

Published

2025-04-03 00:00

Modified

2025-07-30 01:36

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-305 - Authentication Bypass by Primary Weakness

Summary

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

References

►

URL

Tags

	https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
	https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo

Impacted products

	Vendor	Product	Version
	CrushFTP	CrushFTP	Version: 10 < 10.8.4 Version: 11 < 11.3.1

Show details on NVD website