Progress Software patches multiple flaws in its WS_FTP Server product, including a pair of critical flaws, one with a maximum CVSS rating of 10
Background
On September 27, Progress Software published an advisory for WinSock File Transfer Protocol or WS_FTP Server, a secure file transfer solution, addressing eight vulnerabilities. Of the eight vulnerabilities, two are rated as critical:
CVE | Description | Vendor Assigned CVSSv3 | VPR* | Severity |
---|---|---|---|---|
CVE-2023-40044 | WS_FTP .NET Deserialization Vulnerability in Ad Hoc Transfer Module | 10.0 | 9.2 | Critical |
CVE-2023-42657 | WS_FTP Directory Traversal Vulnerability | 9.9 | 7.1 | Critical |
*Please note: Tenable’sVulnerability Priority Rating(VPR) scores are calculated nightly. This blog post was published on October 2 and reflects VPR at that time.
The remaining six vulnerabilities include three high-rated and three medium-rated vulnerabilities:
CVE | Description | Vendor Assigned CVSSv3 | Severity |
---|---|---|---|
CVE-2023-40045 | WS_FTP Reflected Cross-Site Scripting (XSS) Vulnerability | 8.3 | High |
CVE-2023-40046 | WS_FTP SQL Injection Vulnerability | 8.2 | High |
CVE-2023-40047 | WS_FTP Stored XSS Vulnerability | 8.3 | High |
CVE-2023-40048 | WS_FTP Cross-Site Request Forgery Vulnerability | 6.8 | Medium |
CVE-2022-27665 | WS_FTP Reflected XSS Vulnerability | 6.1 | Medium |
CVE-2023-40049 | WS_FTP Information Disclosure Vulnerability | 5.3 | Medium |
Analysis
CVE-2023-40044 is a.NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP. An unauthenticated (or pre-authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server. Successful exploitation would grant an attacker the ability to achieve remote command execution on the underlying operating system of the WS_FTP Server.
CVE-2023-42657 is a directory (or path) traversal vulnerability in WS_FTP. An authenticated, remote attacker could exploit this vulnerability to access and modify files (deleting, renaming) and folders (creating, deleting) in paths outside of authorized WS_FTP folders, as well as paths on the underlying operating system.
Concerns due to exploitation of critical flaw in Progress Software’s MOVEit Transfer
In late May, a zero-day vulnerability in Progress Software’s MOVEit Transfer secure managed file transfer (MFT) software was exploited by the CL0P ransomware group and has resulted in the compromise of over 2,000 organizations according to researchers at Emsisoft.
Because of the past exploitation of a file transfer solution from Progress Software, there is notable concern surrounding the discovery of these flaws in WS_FTP. However, based on research from Censys, there aren’t many publicly accessible WS_FTP servers with the Ad Hoc Transfer Module enabled. However, this does not mean that attackers will not target those that do have this module enabled.
Reports of in-the-wild exploitation following publication of proof-of-concept
On September 29, an exploit writer and researcher known as “MCKSys Argentina” posted details of a proof-of-concept (PoC) for CVE-2023-40044 on X (formerly known as Twitter), which includes screenshots of an HTTP POST request to a vulnerable WS_FTP Server that includes a generated deserialization payload using ysoserial.net:
Here is (are) the pic(s) PoC for CVE-2023-40044 (2 for those who need a bit more of info, like me!). https://t.co/Vm1xXS7k8gpic.twitter.com/i8ZkhxmHza
— MCKSys Argentina (@MCKSysAr) September 29, 2023
MCKSys Argentina also discovered a zero-day in MOVEit Transfer in June, identified as CVE-2023-35708.
On September 30, reports emerged that exploitation of CVE-2023-40044 had been observed in the wild.
Researchers credited with discovery share additional details
Shubham Shah, co-founder and CTO of Assetnote, one of the two researchers credited with finding CVE-2023-40044, posted that a write-up for this flaw would be shared 30 days following the release of a patch or if exploit details became available before then.
The @assetnote team recently discovered a pre-auth RCE in Progress WS_FTP, adivsory here:https://t.co/ZP1t4zfBZv
— shubs (@infosec_au) September 28, 2023
We're planning on writing up this issue after 30 days since patch release, or if details of the exploit are publicly released.
On September 30, Shah and his team published a blog post detailing the discovery of the flaw along with its own advisory.
Proof of concept
As noted above, a PoC for CVE-2023-40044 was shared on X on September 29.
Solution
Progress Software has released the following fixed versions of WS_FTP Server 2020 and 2022:
Product | Fixed Version |
---|---|
WS_FTP Server 2020 | 2020.0.4 (8.7.4) |
WS_FTP Server 2022 | 2022.0.2 (8.8.2) |
Customers are strongly encouraged to apply the patches as soon as possible.
For CVE-2023-40044, if patching is not feasible at this time, Progress Software suggests removing or disabling the Ad Hoc Transfer module if it has been enabled to mitigate the risk of exploitation.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Additionally, customers can use Plugin ID 40770, our WS_FTP Server Version Detection, to identify WS_FTP assets. Please note that this plugin requires credentials in order to return version information for assets.
Get more information
- Progress Software Advisory: WS_FTP Server Critical Vulnerability - (September 2023)
- Assetnote Blog: RCE in Progress WS_FTP Ad Hoc via IIS HTTP Modules (CVE-2023-40044)
- Advisory: Progress WS_FTP RCE (CVE-2023-40044)
- Progress Software: Removing or Disabling the WS_FTP Server Ad hoc Transfer Module
- Censys Blog: CVE-2023-40044: A Look at the Critical Ad Hoc Transfer Module Vulnerability in WS_FTP
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.