Progress Software has once again alerted enterprise security teams about critical vulnerabilities in its file-transfer software. This time, it is the WS_FTP file transfer product that is affected, which is used by approximately 40 million users. The bugs discovered include one that allows for pre-authenticated remote code execution (RCE) without any user interaction. Additionally, there is a bug of near-maximum severity and six others of high or medium severity.
What makes this situation even more concerning is that Progress Software’s customers are still dealing with the aftermath of a zero-day vulnerability in its MOVEit file transfer technology, which was disclosed in May. This flaw has already affected over 2,100 organizations, with many falling victim to attacks by the Cl0p ransomware group. The newly disclosed vulnerabilities in the WS_FTP software pose similar risks, as they affect all supported versions of the software.
Progress Software has assured its customers that it has not detected any signs of exploit activity targeting these vulnerabilities. The company has worked with researchers at Assetnote to responsibly disclose the flaws and has already issued a fix. They are urging customers to upgrade to the patched version of the software to protect their organizations.
To address the vulnerabilities, Progress Software has released version-specific hotfixes for all affected products and is urging customers to update immediately or follow the recommended mitigation steps. They are also advising organizations using unsupported versions of WS_FTP to upgrade to a supported and fixed version as soon as possible. Progress Software acknowledges that there will be an outage during the upgrade process.
The vulnerabilities disclosed this week specifically impact the WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface. The most severe vulnerability, identified as CVE-2023-40044, affects versions prior to 8.7.4 and 8.8.2. It allows attackers to gain pre-authentication RCE on affected systems. The issue is related to a .NET serialization vulnerability, which can lead to denial-of-service attacks, information leaks, and RCE. Two researchers from Assetnote discovered and reported the vulnerabilities to Progress Software.
Rapid7, a cybersecurity company, confirmed the exploitability of the critical vulnerability through testing. The vulnerability can be easily exploited with an HTTPS POST request and specific multipart data, with no authentication or user interaction required. Assetnote has indicated that they will release a full write-up on the vulnerabilities unless the exploit details become publicly available earlier.
Another critical bug, identified as CVE-2023-42657, is a directory traversal vulnerability present in versions before 8.7.4 and 8.8.2. Exploiting this vulnerability allows attackers to perform file operations on files and folders outside of their authorized WS_FTP folder path. They can also perform the same operations on file and folder locations on the underlying operating system. This bug has a CVSS score of 9.9 out of 10, indicating its near maximum severity.
In addition to these critical vulnerabilities, two high-severity bugs (CVE-2023-40045 and CVE-2023-40047) were discovered, which are cross-site scripting (XSS) vulnerabilities that enable the execution of malicious JavaScript. There are also medium severity flaws, including a cross-site request forgery (CSRF) bug (CVE-2023-40048) and an information disclosure issue (CVE-2023-40049).
Experts recommend organizations with good software inventory and monitoring systems to identify and update vulnerable instances of WS_FTP easily. Network monitoring tools can also be employed to detect any incoming connection requests to the software.
As the vulnerabilities pose significant risks to organizations using WS_FTP, it is crucial for users and security teams to take immediate action. Progress Software has provided the necessary fixes and guidance to protect against these vulnerabilities and prevent potential attacks.