Progress Software fixes critical bugs in WS_FTP Server
Bugs are being actively exploited, say researchers
Progress Software has resolved multiple security vulnerabilities within its WinSock File Transfer Protocol (WS_FTP) Server product, including one carrying the highest possible threat rating.
Last week, Progress, the company behind the recently hacked MOVEit file-sharing tool, released an advisory regarding secure file transfer solution WS_FSP Server, to address a total of eight vulnerabilities.
Two were classed as critical, and proof-of-concept (PoC) code is available for one of these issues (CVE-2023-40044).
Researchers from Rapid7 have reported multiple instances of exploitation targeting WS_FTP in the wild.
CVE-2023-40044 is described as a .NET deserialisation vulnerability in the Ad Hoc Transfer module. A pre-authenticated attacker could use it to execute remote commands on the underlying operating system of the WS_FTP Server.
This security flaw has been assigned the highest possible CVSS rating of 10.0. It impacts WS_FTP Server versions preceding 8.7.4 and 8.8.2, and was discovered by Shubham Shah and Sea Yeoh from Assetnote.
The second critical vulnerability, CVE-2023-42657, has received a CVSS score of 9.9 and impacts the same WS_FTP Server versions.
Described as a directory traversal flaw, it could enable an attacker to execute file operations such as deletion, renaming, rmdir (removing directories), and mkdir (creating directories) on files and folders located outside their authorised WS_FTP folder path.
Caitlin Condon, the head of vulnerability research at Rapid7, said researchers detected a limited number of cases related to the exploitation of WS_FTP Server on 30th September.
These incidents affected various industries, including technology and healthcare.
Condon further noted that the execution pattern remained consistent across all the instances they observed, suggesting the potential for widespread exploitation of vulnerable WS_FTP servers.
John Eddy, a spokesperson for Progress via an outside PR agency, told TechCrunch that the company has no evidence suggesting the exploitation of these vulnerabilities before they were made public.
Assetnote, the security company responsible for first uncovering the vulnerabilities, has said there are approximately 2,900 hosts accessible on the internet that are running WS_FTP and have their web servers exposed.
"Most of these online assets belong to large enterprises, governments and educational institutions," Assetnote said.
Progress Software has introduced the following updated versions of WS_FTP Server for 2020 and 2022:
- WS_FTP Server 2020 2020.0.4 (8.7.4)
- WS_FTP Server 2022 2022.0.2 (8.8.2)
The company is strongly recommending that customers apply these fixes quickly.
Quick fix
In the case of CVE-2023-40044, if applying the patch is not immediately feasible, Progress recommends either removing or disabling the Ad Hoc Transfer module, especially if it has been enabled, as a temporary measure to mitigate the risk of exploitation.
Progress addressed six additional vulnerabilities, categorised as high and medium severity issues, in its most recent WS_FTP Server patch.
These vulnerabilities relate to issues including cross-site scripting, SQL injection, cross-site request forgery, and information disclosure vulnerabilities.
They could be exploited to gain access to sensitive data..
In May, the CL0P ransomware group exploited a zero-day vulnerability in Progress's MOVEit Transfer secure managed file transfer (MFT) software.
The breach has had significant repercussions, with researchers at Emsisoft reporting that it led to the compromise of more than 2,000 organisations.