Progress Software has released hotfixes for a critical security vulnerability, along with seven other flaws, in the WS_FTP Server Ad Hoc Transfer module and the WS_FTP Server Manager interface.
Track as CVE-2023-40044, the fault has a CVSS score of 10.0, indicating maximum severity. All versions of the software are affected by the flaw.
“In versions of the WS_FTP Server before 8.7.4 and 8.8.2, a previously authenticated attacker could exploit a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying operating system of the WS_FTP Server,” it said the company in a notice.
Assetnote security researchers Shubham Shah and Sean Yeoh are credited with discovering and reporting the vulnerability.
The list of remaining bugs affecting WS_FTP server versions prior to 8.8.2 is as follows:
- CVE-2023-42657 (CVSS Score: 9.9) – A directory traversal vulnerability that could be exploited to perform file operations.
- CVE-2023-40047 (CVSS Score: 8.3) – A stored cross-site scripting (XSS) vulnerability exists in the WS_FTP Server Management Module that could be exploited by an attacker with administrator privileges to import an SSL certificate with malicious attributes that contain XSS payloads that could then be activated. in the victim’s browser.
- CVE-2023-40046 (CVSS Score: 8.2) – A SQL injection vulnerability in the WS_FTP Server Manager interface that could be exploited to infer information stored in the database and execute SQL statements that alter or delete its contents.
- CVE-2023-40048 (CVSS Score: 6.8) – A cross-site request forgery (CSRF) vulnerability in the WS_FTP Server Manager interface.
- CVE-2022-27665 (CVSS Score: 6.1) – A reflected cross-site scripting (XSS) vulnerability in progress in Ipswitch WS_FTP Server 8.6.0 that may lead to malicious code and command execution on the client.
- CVE-2023-40049 (CVSS Score: 5.3) – An authentication bypass vulnerability that allows users to list files in the ‘WebServiceHost’ directory.
With security flaws in Progress Software becoming an attractive target for ransomware groups like Cl0p, it is essential that users act quickly to apply the latest patches to contain potential threats.
Meanwhile, the company is still dealing with the fallout from the massive attack targeting its MOVEit Transfer secure file transfer platform since May 2023. More than 2,100 organizations and more than 62 million people are estimated to have been affected, according to Emsisoft.
Cybersecurity firm Rapid7 said it has observed “multiple instances of WS_FTP exploitation in the wild” as part of what it said is likely an opportunistic campaign, making it imperative that users act quickly to apply fixes.
“This vulnerability turned out to be relatively simple and represented a typical .NET deserialization issue that led to RCE,” Assetnote said in an advisory for CVE-2023-40044. “It is surprising that this bug has remained alive for so long, as the vendor claims that most versions of WS_FTP are vulnerable.”
Huntress Labs, in an advisory, said it has detected exploitation in the wild in a very small number of cases, indicating that the activity so far is mostly opportunistic in nature, with threat actors casting a wide net to breach instances. vulnerable.
“CVE-2023-40044 is a .NET deserialization vulnerability in the WS_FTP Ad Hoc Transfer module,” said Tenable researcher Satnam Narang. “An unauthenticated (or previously authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP server.”
However, attack surface management vendor Censys noted that “the number of potentially vulnerable servers is much smaller than expected, which is not the worst news.”