Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

CVE-2023-40044, CVE-2023-42657: Progress Software Patches Multiple Vulnerabilities in WS_FTP Server

$
0
0

Progress Software patches multiple flaws in its WS_FTP Server product, including a pair of critical flaws, one with a maximum CVSS rating of 10

Background

On September 27, Progress Software published an advisory for WinSock File Transfer Protocol or WS_FTP Server, a secure file transfer solution, addressing eight vulnerabilities. Of the eight vulnerabilities, two are rated as critical:

CVEDescriptionVendor Assigned CVSSv3VPR*Severity
CVE-2023-40044WS_FTP .NET Deserialization Vulnerability in Ad Hoc Transfer Module10.09.2Critical
CVE-2023-42657WS_FTP Directory Traversal Vulnerability9.97.1Critical

*Please note: Tenable’sVulnerability Priority Rating(VPR) scores are calculated nightly. This blog post was published on October 2 and reflects VPR at that time.

The remaining six vulnerabilities include three high-rated and three medium-rated vulnerabilities:

CVEDescriptionVendor Assigned CVSSv3Severity
CVE-2023-40045WS_FTP Reflected Cross-Site Scripting (XSS) Vulnerability8.3High
CVE-2023-40046WS_FTP SQL Injection Vulnerability8.2High
CVE-2023-40047WS_FTP Stored XSS Vulnerability8.3High
CVE-2023-40048WS_FTP Cross-Site Request Forgery Vulnerability6.8Medium
CVE-2022-27665WS_FTP Reflected XSS Vulnerability6.1Medium
CVE-2023-40049WS_FTP Information Disclosure Vulnerability5.3Medium

Analysis

CVE-2023-40044 is a.NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP. An unauthenticated (or pre-authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server. Successful exploitation would grant an attacker the ability to achieve remote command execution on the underlying operating system of the WS_FTP Server.

CVE-2023-42657 is a directory (or path) traversal vulnerability in WS_FTP. An authenticated, remote attacker could exploit this vulnerability to access and modify files (deleting, renaming) and folders (creating, deleting) in paths outside of authorized WS_FTP folders, as well as paths on the underlying operating system.

Concerns due to exploitation of critical flaw in Progress Software’s MOVEit Transfer

In late May, a zero-day vulnerability in Progress Software’s MOVEit Transfer secure managed file transfer (MFT) software was exploited by the CL0P ransomware group and has resulted in the compromise of over 2,000 organizations according to researchers at Emsisoft.

Because of the past exploitation of a file transfer solution from Progress Software, there is notable concern surrounding the discovery of these flaws in WS_FTP. However, based on research from Censys, there aren’t many publicly accessible WS_FTP servers with the Ad Hoc Transfer Module enabled. However, this does not mean that attackers will not target those that do have this module enabled.

Reports of in-the-wild exploitation following publication of proof-of-concept

On September 29, an exploit writer and researcher known as “MCKSys Argentina” posted details of a proof-of-concept (PoC) for CVE-2023-40044 on X (formerly known as Twitter), which includes screenshots of an HTTP POST request to a vulnerable WS_FTP Server that includes a generated deserialization payload using ysoserial.net:

MCKSys Argentina also discovered a zero-day in MOVEit Transfer in June, identified as CVE-2023-35708.

On September 30, reports emerged that exploitation of CVE-2023-40044 had been observed in the wild.

Researchers credited with discovery share additional details

Shubham Shah, co-founder and CTO of Assetnote, one of the two researchers credited with finding CVE-2023-40044, posted that a write-up for this flaw would be shared 30 days following the release of a patch or if exploit details became available before then.

On September 30, Shah and his team published a blog post detailing the discovery of the flaw along with its own advisory.

Proof of concept

As noted above, a PoC for CVE-2023-40044 was shared on X on September 29.

Solution

Progress Software has released the following fixed versions of WS_FTP Server 2020 and 2022:

ProductFixed Version
WS_FTP Server 20202020.0.4 (8.7.4)
WS_FTP Server 20222022.0.2 (8.8.2)

Customers are strongly encouraged to apply the patches as soon as possible.

For CVE-2023-40044, if patching is not feasible at this time, Progress Software suggests removing or disabling the Ad Hoc Transfer module if it has been enabled to mitigate the risk of exploitation.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Additionally, customers can use Plugin ID 40770, our WS_FTP Server Version Detection, to identify WS_FTP assets. Please note that this plugin requires credentials in order to return version information for assets.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.


Viewing all articles
Browse latest Browse all 1935

Trending Articles