A critical vulnerability has been identified in LiquidFiles appliances, rated 9.9 out of 10. This flaw allows a low-privileged user to gain complete control of the system, enabling them to execute arbitrary code with the highest privileges (root). Successful exploitation could lead to total data compromise, theft of sensitive files, and further attacks on the internal network.

The vulnerability exists within the FTP service of the LiquidFiles appliance. The service incorrectly allows authenticated "FTPDrop" users to use the SITE CHMOD command to set special file permissions, specifically the setuid and setgid bits (mode 6777). An attacker with FTPDrop credentials can upload a malicious script, use the SITE CHMOD command to make it executable with root privileges, and then leverage the "Actionscript" feature to trigger its execution. This results in the attacker's code running as the root user, leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.9, posing an extreme risk to the organization. A successful exploit grants an attacker complete administrative control over the LiquidFiles appliance. This could result in the theft of all sensitive data stored on or transferred through the device, violating data confidentiality and privacy agreements. An attacker could also install persistent backdoors, deploy ransomware, disrupt the secure file transfer service, or use the compromised appliance as a beachhead to launch further attacks against the internal corporate network.

Immediate Action: Immediately update all vulnerable LiquidFiles instances to version 4.1.2 or a later version as specified by the vendor. This patch remediates the vulnerability by disallowing the use of SITE CHMOD to set dangerous permissions like setuid and setgid.

Proactive Monitoring:

• Log Analysis: Review FTP server logs for any use of the SITE CHMOD command, particularly attempts to set mode 6777 or similar modes with setuid/setgid bits (e.g., 4755). Scrutinize sudo logs for any unexpected commands being executed.
• File System Auditing: Monitor file uploads from FTPDrop users and audit for any files with setuid or setgid permissions enabled.
• Behavioral Analysis: Monitor for any unusual processes running as the root user, unexpected outbound network connections from the LiquidFiles appliance, or unauthorized system configuration changes.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Restrict access to the FTP service to only known, trusted IP addresses using firewall rules.
• If the "Actionscript" feature is not required for business operations, disable it to break a key step in the exploit chain.
• Deploy an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking SITE CHMOD commands with malicious permission settings.

Public Exploit Available: False

This vulnerability represents a direct and severe threat to the security of the organization's data and infrastructure. Due to the critical CVSS score of 9.9, which indicates a trivial path to complete system compromise, immediate action is required. We strongly recommend that all vulnerable LiquidFiles appliances be patched to the latest version without delay. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, apply the recommended compensating controls and actively hunt for indicators of compromise.