Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface.
Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw.
"In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system," the company said in an advisory.
Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with discovering and reporting the vulnerability.
The list of remaining flaws, impacting WS_FTP Server versions prior to 8.8.2, is as follows -
- CVE-2023-42657 (CVSS score: 9.9) - A directory traversal vulnerability that could be exploited to perform file operations.
- CVE-2023-40045 (CVSS score: 8.3) - A reflected cross-site scripting (XSS) vulnerability in the WS_FTP Server's Ad Hoc Transfer module that could be exploited to execute arbitrary JavaScript within the context of the victim's browser.
- CVE-2023-40047 (CVSS score: 8.3) - A stored cross-site scripting (XSS) vulnerability exists in the WS_FTP Server's Management module that could be exploited by an attacker with admin privileges to import an SSL certificate with malicious attributes containing XSS payloads that could then be triggered in victim's browser.
- CVE-2023-40046 (CVSS score: 8.2) - An SQL injection vulnerability in the WS_FTP Server manager interface that could be exploited to infer information stored in the database and execute SQL statements that alter or delete its contents.
- CVE-2023-40048 (CVSS score: 6.8) - A cross-site request forgery (CSRF) vulnerability in the WS_FTP Server Manager interface.
- CVE-2022-27665 (CVSS score: 6.1) - A reflected cross-site scripting (XSS) vulnerability in Progress Ipswitch WS_FTP Server 8.6.0 that can lead to execution of malicious code and commands on the client.
- CVE-2023-40049 (CVSS score: 5.3) - An authentication bypass vulnerability that allows users to enumerate files under the 'WebServiceHost' directory listing.
With security flaws in Progress Software becoming an attractive target for ransomware groups like Cl0p, it's essential that users move quickly to apply the latest patches to contain potential threats.
The company, in the meanwhile, is still grappling with the fallout from the mass hack targeting its MOVEit Transfer secure file transfer platform since May 2023. More than 2,100 organizations and over 62 million individuals are estimated to have been impacted, according to Emsisoft.
Update
Cybersecurity firm Rapid7 said it has observed "multiple instances of WS_FTP exploitation in the wild" as part of what it said is likely an opportunistic campaign, making it imperative that users move quickly to apply the fixes.
"This vulnerability turned out to be relatively straightforward and represented a typical .NET deserialization issue that led to RCE," Assetnote said in an advisory for CVE-2023-40044. "It's surprising that this bug has stayed alive for so long, with the vendor stating that most versions of WS_FTP are vulnerable."
Huntress Labs, in an advisory, said it has detected in-the-wild exploitation in a very small number of cases, indicating that the activity so far are mostly opportunistic in nature, with threat actors casting a wide net to breach vulnerable instances.
"CVE-2023-40044 is a.NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP," Tenable researcher Satnam Narang said. "An unauthenticated (or pre-authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server."
However, attack surface management vendor Censys pointed out that "the number of potentially vulnerable servers is much lower than expected, which is not the worst news."
Statement from Progress spokesperson:
"We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch. We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.
"The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors."