CVE-2023-47174: A Critical RCE Vulnerability in Thorn SFTP Gateway

In today’s age of rapid technological development, ensuring the secure transfer of data remains a top priority. Many businesses have turned to solutions like Thorn’s SFTP Gateway to maintain a seamless yet secure bridge between their SFTP clients and cloud storage solutions. However, like all technology, keeping abreast of potential vulnerabilities is crucial to ensure data safety.

A newly disclosed vulnerability tracked as CVE-2023-47174 is a critical vulnerability in Thorn SFTP Gateway that could allow an attacker to execute arbitrary code on the SFTP Gateway server

SFTP Gateway is more than just a conduit for data transfer. Acting as a mediator, it facilitates the secure transfer of files between SFTP clients and leading cloud storage providers, such as Amazon S3, Azure Blob Storage, and Google Cloud Storage. However, this mediator has now found itself vulnerable to a remote code execution (RCE) attack via its web admin portal.

The underlying issue can be traced back to the CVE-2016-1000027 vulnerability within the Pivotal Spring Framework, a dependency library used by SFTP Gateway. This vulnerability allows potential remote code execution if the library processes untrusted Java deserialized data. It’s worth noting that the CVSS (Common Vulnerability Scoring System) score of this vulnerability is a staggering 9.8, emphasizing its critical nature.

The CVE-2023-47174 vulnerability targets the following SFTP Gateway versions:

  • v3.4.0
  • v3.4.1
  • v3.4.2
  • v3.4.3

To verify your version, simply scroll to the footer of the web admin portal of your SFTP Gateway. For those who prefer a hands-on approach, SSH into the VM and check the version filenames in the /opt/sftpgw/ directory.

If you’re using an affected version, here’s a step-by-step guide to fortify your systems:

  1. Tighten Your Defenses: Restrict port 443 access to sysadmin IP addresses. Ideally, following best practices, your web admin portal should already have limited access. Ensure your ingress rules on port 443 aren’t open to everyone. Precisely, avoid rules for HTTPS 443 that permit the range 0.0.0.0/0 and revisit existing rules to prune any outdated entries.
  2. Upgrade to Safety: The most direct route to safety is upgrading. An in-place upgrade to version 3.4.4 using Thorn’s provided script will patch the vulnerability.