Patch It Up: WS_FTP Server’s Unplanned Fixes

In a recent development following the disclosure of the critical CVE-2023-40044 vulnerability in Progress Software’s WS_FTP Server, security researchers from Assetnote have released a proof-of-concept (PoC) exploit for this maximum severity remote code execution (RCE) flaw. This PoC exploit, published over the weekend, allows unauthenticated attackers to remotely execute commands on the affected systems by exploiting the .NET deserialization vulnerability within the Ad Hoc Transfer Module. Assetnote’s analysis has revealed that there are approximately 2.9k hosts on the internet running WS_FTP Server with their webservers exposed, primarily belonging to large enterprises, governments, and educational institutions. 

The situation has taken a more concerning turn as cybersecurity company Rapid7 reported that attackers have already started exploiting CVE-2023-40044 in the wild. These incidents of exploitation were observed on Saturday evening, September 30, and Rapid7 suggests that the process execution chain appears consistent across these incidents, hinting at possible mass exploitation by a single threat actor. Furthermore, the utilization of the same Burpsuite domain across all these incidents adds to this suspicion. 

In light of these recent developments, organizations are urged to act swiftly, either by upgrading to the recommended highest version, 8.8.2, or by disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module if immediate patching is not feasible. 

Progress Software, the creator of the MOVEit Transfer file-sharing platform, has issued a critical warning to its customers regarding a severe vulnerability in its WS_FTP Server software. This software is widely employed by numerous IT teams globally for secure file transfers in enterprise environments.

In a recent advisory, Progress Software revealed the existence of multiple vulnerabilities affecting the WS_FTP Server software, particularly within its manager interface and Ad hoc Transfer Module. Among the security issues addressed this week, two were classified as highly critical.

The first, known as CVE-2023-40044, received a maximum severity CVSS rating of 10 from Progress and was given an 8.8 from NIST. It permits unauthenticated attackers to execute remote commands after exploiting a .NET deserialization vulnerability in the Ad Hoc Transfer module.

The “WS_FTP Server Integrated Ad Hoc Transfer Module” enables users to send files securely to one or more recipients using either a Microsoft Outlook plugin or their web browser. According to Progress “With this module, organizations can improve the way they manage file transfer interactions and apply encryption, access control and authentication, digital loss prevention, and content management.”

The .NET deserialization vulnerability means that untrusted data was deserialized without verification of valid results. Serializing objects for communication or storage is a common convenience, but when deserialized data lacks proper cryptography for protection, it can be easily tampered with outside of the designated access functions. Untrusted data should never be assumed to be well-formed.

The second critical bug, identified as CVE-2023-42657, is a directory traversal flaw that allows attackers to carry out file operations beyond the authorized WS_FTP folder path, potentially extending to the underlying operating system.

This vulnerability stems from its failure to sanitize external input used to construct a file or directory pathname within a restricted parent directory. Attackers can exploit this by employing special elements like “..” and “/” separators to break out of the restricted directory, leading to unauthorized access of files or directories. Additionally, some programming languages may enable attackers to truncate filenames and widen the scope of their attack, even when restrictions like file type limitations are in place, by injecting null bytes

These vulnerabilities are of significant concern as they can be exploited with relatively low complexity, requiring no user interaction. While versions 8.7.4 and 8.8.2 have both been patched, Progress Software strongly advises customers to perform an upgrade to the latest version, 8.8.2, as the only effective means of remediation.

The company acknowledges that system downtime may occur during the upgrade process. Additionally, Progress Software provides guidance on how to remove or disable the vulnerable WS_FTP Server Ad Hoc Transfer Module if it is not in use, further bolstering security for affected systems.

In Summary: This article highlights a critical vulnerability in Progress Software’s WS_FTP Server software, used for secure file transfers. The vulnerability allows unauthenticated attackers to execute remote commands and perform unauthorized file operations. Progress Software urges users to upgrade to the latest version, 8.8.2, for mitigation.

Why It Matters: Managed Service Providers and their clients should take note of this article as it outlines a critical security issue in widely used file transfer software. Exploitation of these vulnerabilities could lead to data breaches and system compromise. MSPs can proactively advise their clients to apply necessary patches or upgrades, reinforcing their commitment to robust cybersecurity measures and protecting sensitive data from potential threats.

To stay up to date on all APG intel, follow them on Twitter and Reddit.