Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
minor_update.jpg 356.6 kB 1 05-Dec-2023 05:32 Ada Csaba

This page (revision-45) was last changed on 15-Nov-2024 05:18 by Ben Spink

This page was created on 05-Dec-2023 05:32 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed 2 lines
__April 19th, 2024 - CVE-2024-4040\\
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a [DMZ] in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately. (CREDIT:Simon Garrelou, of Airbus CERT)__\\
!!!__Update Bug on Windows__
Some versions of CrushFTP had a problem applying an update automatically. They would fail to rename ".jar" files on Windows operating systems. They would instead leave behind ".jar_tmp" files needing the "_tmp" manually removed from them. This has been fixed for a while, but if you are still on one of these older builds, you will be affected the next time you attempt the update. So you need to fix the jar filenames one time manually. Example: CrushFTP.jar_tmp -> CrushFTP.jar. Same for all other jars in plugins, plugins/lib folder, and the WebInterface folder has CrushTunnel.jar. Do all 3 locations entirely.
At line 4 added 13 lines
\\
!!Vulnerability Info
__November 11th, 2024 - (CVE - coming soon...pending)\\
V10 versions below 10.8.3 and V11 versions below 11.2.3 are vulnerable to a password reset email exploit. If an end user clicks the link, their account is compromised.
(CREDIT: Stratascale Cyber Research Unit)__\\
Once you update you must configure your allowed email reset URL domains.\\
v10:Preferences, WebInterface, MiniURL: Set an allowed list of domains, comma separated.\\
v11:Preferneces, WebInterface, Login Page: Set a domain pattern that is not just '*' as a '*' is no longer allowed.\\
----
April 19th, 2024 - CVE-2024-4040\\
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a [DMZ] in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately. (CREDIT:Simon Garrelou, of Airbus CERT)\\
----
\\
At line 5 changed 5 lines
•If I'm on v10.7.1...do I need to upgrade to v11? No, just update v10 to v10.7.1.\\
•If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.7.1.\\
•Can you tell me how I can check if I have been exploited? Not really..the nature of this was common words that could be in your log already. So there is no silver bullet search term to check for. Looking for "<INCLUDE" is an indicator.\\
•If I have a DMZ am I safe? NO! As of April 22, we have changed our opinion on this. A DMZ does not fully protect you.\\
•If I only have my SFTP port exposed to the internet but not any web ports...am I safe? Yes, this exploit specifically works with the WebInterface port.\\
•If I'm on v10.8.3+...do I need to upgrade to v11? No, 10.8.3+ are safe.\\
•If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.8.3+ or v11.2.3+.\\
Version Date Modified Size Author Changes ... Change note
45 15-Nov-2024 05:18 3.719 kB Ben Spink to previous
44 14-Nov-2024 10:56 3.693 kB Ben Spink to previous | to last
43 11-Nov-2024 10:22 3.679 kB Ben Spink to previous | to last
42 11-Nov-2024 06:03 3.649 kB Ben Spink to previous | to last
41 11-Nov-2024 06:02 3.643 kB Ben Spink to previous | to last
« This page (revision-45) was last changed on 15-Nov-2024 05:18 by Ben Spink
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
LeftMenu

JSPWiki