Published: October 4, 2023
Overview
There are two critical vulnerabilities discovered in WS_FTP Server, among the multiple vulnerabilities discovered in WS_FTP Server. WS_FTP Server is a secure file transfer solution developed by Progress Software. The first vulnerability is CVE-2023-40044 (CVSS Score of 10) which is .NET deserialization vulnerability in the AdHoc Transfer module in WS_FTP Server leading to Remote Code Execution. And the second one is CVE-2023-42657 (CVSS Score of 9.9 ) is a directory traversal vulnerability leading to unauthorised operations on files and directories in the operating system. There are other high severity vulnerabilities in WS_FTP Server solutions – CVE-2023-40045 (CVSS 8.3), CVE-2023-40046 (CVSS 8.2), CVE-2023-40047( CVSS 8.3), CVE-2023-40048 (CVSS 6.8) and CVE-2023-40049 (CVSS 5.3). Progress Software has released patches for these vulnerabilities.
Impact
CVE-2023-40044 is a critical zero-day vulnerability in Progress Software’s WS_FTP Server solution that allows pre-authenticated attacker to perform Remote Code Execution.
CVE-2023-42657 is a directory traversal vulnerability. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system. These vulnerabilities can have serious consequences as it can lead to remote command execution and unauthorized file operations. Multiple instances of exploitation have been found in the wild.
CVE-2023-40045 and CVE-2023-40047 are Cross Site Scripting vulnerabilities.
CVE-2023-40046 is a SQL injection vulnerability.
CVE-2023-40048 is a Cross Site Request Forgery (CSRF) vulnerability and CVE-2023-40049 is an authentication bypass vulnerability.
Applicable Versions
| Affected Version | Updated Version |
|---|---|
| WS_FTP Server prior to version 8.7.4 | WS_FTP Server version 8.7.4 |
| WS_FTP Server prior to version 8.8.2 | WS_FTP Server version 8.8.2 |
Mitigations and Workarounds
According to the advisory, upgrading to a patched release using the full installer is the only way to remediate this issue. There will be an outage to the system while the upgrade is running. The optimal course of action is to update to 8.8.2 as the vendor has advised.
If the customer is using the Ad Hoc Transfer module in WS_FTP Server and are not able to update to a fixed version, consider disabling or removing the module.
Best Practices
It is a good practise to update the WS_FTP Server solution with the latest available versions. In addition to that, for more information refer to the resource.
Netsurion Detection and Response
Netsurion researchers are continuously monitoring the exploits of these vulnerabilities. Our security analysts would be adding the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion Threat Center, our threat intelligence platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect these vulnerabilities . Netsurion’s vulnerability management system will also detect the vulnerability (CVE-2023-40042, CVE-2023-42657) for customers who have subscribed to Netsurion Vulnerability Management.
References:
- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
- https://www.securityweek.com/live-exploitation-underscores-urgency-to-patch-critical-ws-ftp-server-flaw/
- https://www.securityweek.com/progress-software-patches-critical-pre-auth-flaws-in-ws_ftp-server-product/
- https://thehackernews.com/2023/09/progress-software-releases-urgent.html
- https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
- https://www.ipswitch.com/ftp-server