2023-10-3 01:11:55 Author: www.tenable.com(查看原文) 阅读量:23 收藏
Progress Software patches multiple flaws in its WS_FTP Server product, including a pair of critical flaws, one with a maximum CVSS rating of 10
Background
On September 27, Progress Software published an advisory for WinSock File Transfer Protocol or WS_FTP Server, a secure file transfer solution, addressing eight vulnerabilities. Of the eight vulnerabilities, two are rated as critical:
| CVE | Description | Vendor Assigned CVSSv3 | VPR* | Severity |
|---|---|---|---|---|
| CVE-2023-40044 | WS_FTP .NET Deserialization Vulnerability in Ad Hoc Transfer Module | 10.0 | 9.2 | Critical |
| CVE-2023-42657 | WS_FTP Directory Traversal Vulnerability | 9.9 | 7.1 | Critical |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on October 2 and reflects VPR at that time.
The remaining six vulnerabilities include three high-rated and three medium-rated vulnerabilities:
| CVE | Description | Vendor Assigned CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-40045 | WS_FTP Reflected Cross-Site Scripting (XSS) Vulnerability | 8.3 | High |
| CVE-2023-40046 | WS_FTP SQL Injection Vulnerability | 8.2 | High |
| CVE-2023-40047 | WS_FTP Stored XSS Vulnerability | 8.3 | High |
| CVE-2023-40048 | WS_FTP Cross-Site Request Forgery Vulnerability | 6.8 | Medium |
| CVE-2022-27665 | WS_FTP Reflected XSS Vulnerability | 6.1 | Medium |
| CVE-2023-40049 | WS_FTP Information Disclosure Vulnerability | 5.3 | Medium |
Analysis
CVE-2023-40044 is a.NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP. An unauthenticated (or pre-authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server. Successful exploitation would grant an attacker the ability to achieve remote command execution on the underlying operating system of the WS_FTP Server.
CVE-2023-42657 is a directory (or path) traversal vulnerability in WS_FTP. An authenticated, remote attacker could exploit this vulnerability to access and modify files (deleting, renaming) and folders (creating, deleting) in paths outside of authorized WS_FTP folders, as well as paths on the underlying operating system.
Concerns due to exploitation of critical flaw in Progress Software’s MOVEit Transfer
In late May, a zero-day vulnerability in Progress Software’s MOVEit Transfer secure managed file transfer (MFT) software was exploited by the CL0P ransomware group and has resulted in the compromise of over 2,000 organizations according to researchers at Emsisoft.
Because of the past exploitation of a file transfer solution from Progress Software, there is notable concern surrounding the discovery of these flaws in WS_FTP. However, based on research from Censys, there aren’t many publicly accessible WS_FTP servers with the Ad Hoc Transfer Module enabled. However, this does not mean that attackers will not target those that do have this module enabled.
Reports of in-the-wild exploitation following publication of proof-of-concept
On September 29, an exploit writer and researcher known as “MCKSys Argentina” posted details of a proof-of-concept (PoC) for CVE-2023-40044 on X (formerly known as Twitter), which includes screenshots of an HTTP POST request to a vulnerable WS_FTP Server that includes a generated deserialization payload using ysoserial.net:
Here is (are) the pic(s) PoC for CVE-2023-40044 (2 for those who need a bit more of info, like me!). https://t.co/Vm1xXS7k8g pic.twitter.com/i8ZkhxmHza
— MCKSys Argentina (@MCKSysAr) September 29, 2023
MCKSys Argentina also discovered a zero-day in MOVEit Transfer in June, identified as CVE-2023-35708.
On September 30, reports emerged that exploitation of CVE-2023-40044 had been observed in the wild.
Researchers credited with discovery share additional details
Shubham Shah, co-founder and CTO of Assetnote, one of the two researchers credited with finding CVE-2023-40044, posted that a write-up for this flaw would be shared 30 days following the release of a patch or if exploit details became available before then.
— shubs (@infosec_au) September 28, 2023The @assetnote team recently discovered a pre-auth RCE in Progress WS_FTP, adivsory here:https://t.co/ZP1t4zfBZv
We're planning on writing up this issue after 30 days since patch release, or if details of the exploit are publicly released.
On September 30, Shah and his team published a blog post detailing the discovery of the flaw along with its own advisory.
Proof of concept
As noted above, a PoC for CVE-2023-40044 was shared on X on September 29.
Solution
Progress Software has released the following fixed versions of WS_FTP Server 2020 and 2022:
Customers are strongly encouraged to apply the patches as soon as possible.
For CVE-2023-40044, if patching is not feasible at this time, Progress Software suggests removing or disabling the Ad Hoc Transfer module if it has been enabled to mitigate the risk of exploitation.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Additionally, customers can use Plugin ID 40770, our WS_FTP Server Version Detection, to identify WS_FTP assets. Please note that this plugin requires credentials in order to return version information for assets.
Get more information
- Progress Software Advisory: WS_FTP Server Critical Vulnerability - (September 2023)
- Assetnote Blog: RCE in Progress WS_FTP Ad Hoc via IIS HTTP Modules (CVE-2023-40044)
- Advisory: Progress WS_FTP RCE (CVE-2023-40044)
- Progress Software: Removing or Disabling the WS_FTP Server Ad hoc Transfer Module
- Censys Blog: CVE-2023-40044: A Look at the Critical Ad Hoc Transfer Module Vulnerability in WS_FTP
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related Articles
- Exposure Management
- Vulnerability Management
Cybersecurity News You Can Use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Tenable Vulnerability Management
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
Tenable Vulnerability Management
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank You
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Try Tenable Nessus Professional Free
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
NEW - Tenable Nessus Expert
Now Available
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Buy Tenable Nessus Professional
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
BUY
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank You
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Try Tenable Web App Scanning
Formerly Tenable.io Web Application Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.
Buy Tenable Web App Scanning
Formerly Tenable.io Web Application Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Try Tenable Lumin
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.
Buy Tenable Lumin
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank You
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Request a demo of Tenable Security Center
Formerly Tenable.sc
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Request a demo of Tenable OT Security
Formerly Tenable.ot
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Request a demo of Tenable Identity Exposure
Formerly Tenable.ad
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Try Tenable Cloud Security
Formerly Tenable.cs
Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.
Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.
Contact a Sales Rep to Buy Tenable Cloud Security
Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.
Thank You
Thank you for your interest in Tenable.cs. A representative will be in touch soon.
See
Tenable One
In Action
Exposure management for the modern attack surface.
See Tenable Attack Surface Management In Action
Formerly Tenable.asm
Know the exposure of every asset on any platform.
Thank You
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
Try Tenable Nessus Expert Free
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Buy Tenable Nessus Expert
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Try Nessus Expert Free
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Buy Tenable Nessus Expert
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
如有侵权请联系:admin#unsafe.sh