Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface.
Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw.
βIn WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system,β the company said in an advisory.
Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with discovering and reporting the vulnerability.
The list of remaining flaws, impacting WS_FTP Server versions prior to 8.8.2, is as follows -
With security flaws in Progress Software becoming an attractive target for ransomware groups like Cl0p, itβs essential that users move quickly to apply the latest patches to contain potential threats.
The company, in the meanwhile, is still grappling with the fallout from the mass hack targeting its MOVEit Transfer secure file transfer platform since May 2023. More than 2,100 organizations and over 62 million individuals are estimated to have been impacted, according to Emsisoft.
Cybersecurity firm Rapid7 said it has observed βmultiple instances of WS_FTP exploitation in the wildβ as part of what it said is likely an opportunistic campaign, making it imperative that users move quickly to apply the fixes.
βThis vulnerability turned out to be relatively straightforward and represented a typical .NET deserialization issue that led to RCE,β Assetnote said in an advisory for CVE-2023-40044. βItβs surprising that this bug has stayed alive for so long, with the vendor stating that most versions of WS_FTP are vulnerable.β
Huntress Labs, in an advisory, said it has detected in-the-wild exploitation in a very small number of cases, indicating that the activity so far are mostly opportunistic in nature, with threat actors casting a wide net to breach vulnerable instances.
βCVE-2023-40044 is a.NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP,β Tenable researcher Satnam Narang said. βAn unauthenticated (or pre-authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server.β
However, attack surface management vendor Censys pointed out that βthe number of potentially vulnerable servers is much lower than expected, which is not the worst news.β
"We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch. We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.
βThe security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.