Progress Software, the company responsible for the recent hacking incident involving the MOVEit file-sharing tool, has taken action to address vulnerabilities in another popular secure file transfer solution called WS_FTP Server. The company has fixed two critical vulnerabilities, namely CVE-2023-40044 and CVE-2023-42657, in order to secure the software.
One of the vulnerabilities, CVE-2023-40044, is a .NET deserialization vulnerability that could potentially allow an unauthorized threat actor to execute remote commands on the WS_FTP Server operating system. This vulnerability can be exploited through an HTTPS POST request. The other vulnerability, CVE-2023-42657, is a directory traversal vulnerability that could enable a threat actor to perform unauthorized file operations, such as deleting, renaming, or creating folders, outside of their designated WS_FTP folder path.
Rapid7 researchers have reported instances of WS_FTP exploitation in the wild, using two distinct attack chains. Proof-of-concept code for CVE-2023-40044 became available on Friday, further increasing the risk of exploitation.
These vulnerabilities affect versions of WS_FTP Server older than 8.7.4 and 8.8.2. Progress Software strongly recommends that users upgrade to the fixed versions to ensure their systems are secure. The company also advises users to use the full installer for the upgrade and warns that there may be a system outage during the process. For users who are unable to upgrade, Progress Software suggests mitigating the risk of exploitation by removing or disabling the WS_FTP Server Ad hoc Transfer Module.
Assetnote researchers, who discovered and reported the CVE-2023-40044 vulnerability, noted that it is surprising that this bug remained unaddressed for so long, given that most versions of WS_FTP are vulnerable. They explained that it is a typical .NET deserialization issue that leads to remote code execution (RCE). They further discovered that there are approximately 2.9k hosts running WS_FTP on the internet, along with exposed webservers, and these hosts primarily belong to large enterprises, governments, and educational institutions.
To assist enterprise defenders, Rapid7 has shared indicators of compromise that can be used to determine whether an organization has been affected by the WS_FTP Server vulnerabilities.
In addition to addressing these critical vulnerabilities, Progress Software has also fixed six other high and medium severity vulnerabilities with the latest WS_FTP Server update. Among these vulnerabilities is a reflected cross-site scripting vulnerability (CVE-2023-40045) in the Ad Hoc Transfer module. Exploiting this vulnerability allows attackers to target WS_FTP Server users with specially crafted payloads to execute malicious JavaScript within the victim’s browser.
File transfer tools have frequently been targeted by ransomware gangs, and this incident with WS_FTP Server further emphasizes the importance of securing such tools. The recent MOVEit hack by the Cl0p gang affected over 2000 organizations and more than 60 million individual victims. Previously, the Cl0p gang had exploited vulnerabilities in Accellion’s FTA and Fortra’s GoAnywhere file transfer products to steal data from their targets.
In light of these developments, it is crucial for organizations to remain vigilant about the security of their file transfer solutions and promptly apply any necessary patches or updates to protect against potential cyber threats.