Progress Software patches multiple flaws in its WS_FTP Server product, including a pair of critical flaws, one with a maximum CVSS rating of 10
On September 27, Progress Software published an advisory for WinSock File Transfer Protocol or WS_FTP Server, a secure file transfer solution, addressing eight vulnerabilities. Of the eight vulnerabilities, two are rated as critical:
CVE | Description | Vendor Assigned CVSSv3 | VPR* | Severity |
---|---|---|---|---|
CVE-2023-40044 | WS_FTP .NET Deserialization Vulnerability in Ad Hoc Transfer Module | 10.0 | 9.2 | Critical |
CVE-2023-42657 | WS_FTP Directory Traversal Vulnerability | 9.9 | 7.1 | Critical |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on October 2 and reflects VPR at that time.
The remaining six vulnerabilities include three high-rated and three medium-rated vulnerabilities:
CVE | Description | Vendor Assigned CVSSv3 | Severity |
---|---|---|---|
CVE-2023-40045 | WS_FTP Reflected Cross-Site Scripting (XSS) Vulnerability | 8.3 | High |
CVE-2023-40046 | WS_FTP SQL Injection Vulnerability | 8.2 | High |
CVE-2023-40047 | WS_FTP Stored XSS Vulnerability | 8.3 | High |
CVE-2023-40048 | WS_FTP Cross-Site Request Forgery Vulnerability | 6.8 | Medium |
CVE-2022-27665 | WS_FTP Reflected XSS Vulnerability | 6.1 | Medium |
CVE-2023-40049 | WS_FTP Information Disclosure Vulnerability | 5.3 | Medium |
CVE-2023-40044 is a.NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP. An unauthenticated (or pre-authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server. Successful exploitation would grant an attacker the ability to achieve remote command execution on the underlying operating system of the WS_FTP Server.
CVE-2023-42657 is a directory (or path) traversal vulnerability in WS_FTP. An authenticated, remote attacker could exploit this vulnerability to access and modify files (deleting, renaming) and folders (creating, deleting) in paths outside of authorized WS_FTP folders, as well as paths on the underlying operating system.
Concerns due to exploitation of critical flaw in Progress Software’s MOVEit Transfer
In late May, a zero-day vulnerability in Progress Software’s MOVEit Transfer secure managed file transfer (MFT) software was exploited by the CL0P ransomware group and has resulted in the compromise of over 2,000 organizations according to researchers at Emsisoft.
Because of the past exploitation of a file transfer solution from Progress Software, there is notable concern surrounding the discovery of these flaws in WS_FTP. However, based on research from Censys, there aren’t many publicly accessible WS_FTP servers with the Ad Hoc Transfer Module enabled. However, this does not mean that attackers will not target those that do have this module enabled.
Reports of in-the-wild exploitation following publication of proof-of-concept
On September 29, an exploit writer and researcher known as “MCKSys Argentina” posted details of a proof-of-concept (PoC) for CVE-2023-40044 on X (formerly known as Twitter), which includes screenshots of an HTTP POST request to a vulnerable WS_FTP Server that includes a generated deserialization payload using ysoserial.net:
Here is (are) the pic(s) PoC for CVE-2023-40044 (2 for those who need a bit more of info, like me!). https://t.co/Vm1xXS7k8g pic.twitter.com/i8ZkhxmHza
— MCKSys Argentina (@MCKSysAr) September 29, 2023
MCKSys Argentina also discovered a zero-day in MOVEit Transfer in June, identified as CVE-2023-35708.
On September 30, reports emerged that exploitation of CVE-2023-40044 had been observed in the wild.
Researchers credited with discovery share additional details
Shubham Shah, co-founder and CTO of Assetnote, one of the two researchers credited with finding CVE-2023-40044, posted that a write-up for this flaw would be shared 30 days following the release of a patch or if exploit details became available before then.
— shubs (@infosec_au) September 28, 2023The @assetnote team recently discovered a pre-auth RCE in Progress WS_FTP, adivsory here:https://t.co/ZP1t4zfBZv
We're planning on writing up this issue after 30 days since patch release, or if details of the exploit are publicly released.
On September 30, Shah and his team published a blog post detailing the discovery of the flaw along with its own advisory.
As noted above, a PoC for CVE-2023-40044 was shared on X on September 29.
Progress Software has released the following fixed versions of WS_FTP Server 2020 and 2022:
Customers are strongly encouraged to apply the patches as soon as possible.
For CVE-2023-40044, if patching is not feasible at this time, Progress Software suggests removing or disabling the Ad Hoc Transfer module if it has been enabled to mitigate the risk of exploitation.
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Additionally, customers can use Plugin ID 40770, our WS_FTP Server Version Detection, to identify WS_FTP assets. Please note that this plugin requires credentials in order to return version information for assets.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
BUY
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Formerly Tenable.io Web Application Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.
Formerly Tenable.io Web Application Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Formerly Tenable.sc
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Formerly Tenable.ot
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Formerly Tenable.ad
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Formerly Tenable.cs
Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.
Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.
Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.
Thank you for your interest in Tenable.cs. A representative will be in touch soon.
Exposure management for the modern attack surface.
Formerly Tenable.asm
Know the exposure of every asset on any platform.
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.