Image source: Shutterstock
Based on the extensive targeting of the previous bug in the company’s MOVEit product, it’s safe to bet attacks targeting the WS_FTP flaws are imminent.
A maximum severity vulnerability is present in all versions of Progress Software’s widely used WS_FTP Server file transfer software that gives an unauthenticated attacker a way to remotely execute arbitrary code on affected systems.
The bug is one of eight new vulnerabilities that Progress disclosed this week. Two of the bugs in the batch are of critical severity and need immediate patching. Progress identified three others as high severity vulnerabilities and the remaining three as medium severity flaws. The bugs allow threat actors to execute a wide range of malicious actions.
Here’s what you need to know:
What are the vulnerabilities for which Progress is recommending an immediate update?
CVE-2023-40044, a .NET vulnerability in WS_FTP’s Ad Hoc Transfer module. The vulnerability enables pre-auth remote code execution on the underlying WS_FTP Server operating system. The vulnerability has a CVSS score of 10.0 which is as severe as a vulnerability can possibly get. The flaw affects all versions of WS_FTP with the Ad hoc Transfer module enabled.
CVE-2023-42657, a path traversal flaw that allows attackers to delete and rename files and remove or make directories outside of the WS_FTP folder path. A threat actor could also leverage the flaw to escape the context of the WS_FTP Server file structure and perform the same range of actions on files and folders in the underlying operating system. The vulnerability has a near maximum CVSS score of 9.9 and affects all versions of WS-FTP with the Ad hoc Transfer module.
Is a patch available for both flaws?
Yes, Progress has made version-specific hotfixes available for these two vulnerabilities as well as all other vulnerabilities the company disclosed today. See Progress Software’s security advisory for complete details. Progress recommends that organizations running the affected software update immediately to the latest version of the software.
What if I cannot immediately update my WS_FTP environment for any reason.
Progress Software recommends that organizations which cannot patch immediately, remove or disable the WS_FTP Server Ad hoc Transfer Module. Here are the company’s instructions for how you can do that.
Why the urgency to patch?
Enterprise file transfer products are a popular attack target because of the access they provide to sensitive data. Over the past 12 months there have been multiple attacks targeting vulnerabilities in file transfer products from companies such as Accellion and GoAnywhere and of course most notably, Progress itself. The Cl0p ransomware group and other threat actors have so far compromised over 2,100 organizations worldwide, via CVE-2023-34362, a SQL injection flaw in Progress Software’s MOVEit file transfer software. The vulnerability was a zero-day when Progress first disclosed it in May and has emerged as easily one of the most consequential vulnerabilities of 2023 so far. Based on MOVEit, it’s safe to assume that attacks targeting the new vulnerabilities in WS_FTP will start very soon. Some 40 million people worldwide use the WS_FTP client, which makes it a very attractive target for threat groups.
Has there been any exploit activity targeting the flaws so far?
Nothing that anyone has reported. But according to Rapid7’s threat research team CVE-2-23-40044 is trivial to exploit and requires little more than a single specially constructed HTTPS POST request.
.What are the other vulnerabilities?
The 3 high-severity flaws are: CVE-2023-40045 a reflected cross site scripting (XSS) vulnerability in WS_FTP Server Ad hoc Transfer module that enables malicious JavaScript execution; CVE-2023-40046 a SQL injection vulnerability in the WS_FTP Server manager interface that gives attackers a way to modify or delete database contents; and CVE-2023-40047 a stored XSS in WS_FTP Server’s Management module that allows for malicious JavaScript execution in the context of the victim’s browser.
The three medium security flaws are: CVE-2023-40048; CVE-2022-27665 and CVE-2023-40049.