CVE-2023-40044, CVE-2023-42657: Progress Software Patches Multiple Vulnerabilities in WS_FTP Server
2023-10-3 01:11:55 Author: www.tenable.com(查看原文) 阅读量:23 收藏

Satnam Narang

A Tenable Research Advisory for a critical vulnerability in Progress Software's WS_FTP that has been exploited in the wild.

Progress Software patches multiple flaws in its WS_FTP Server product, including a pair of critical flaws, one with a maximum CVSS rating of 10

Background

On September 27, Progress Software published an advisory for WinSock File Transfer Protocol or WS_FTP Server, a secure file transfer solution, addressing eight vulnerabilities. Of the eight vulnerabilities, two are rated as critical:

CVE Description Vendor Assigned CVSSv3 VPR* Severity
CVE-2023-40044 WS_FTP .NET Deserialization Vulnerability in Ad Hoc Transfer Module 10.0 9.2 Critical
CVE-2023-42657 WS_FTP Directory Traversal Vulnerability 9.9 7.1 Critical

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on October 2 and reflects VPR at that time.

The remaining six vulnerabilities include three high-rated and three medium-rated vulnerabilities:

CVE Description Vendor Assigned CVSSv3 Severity
CVE-2023-40045 WS_FTP Reflected Cross-Site Scripting (XSS) Vulnerability 8.3 High
CVE-2023-40046 WS_FTP SQL Injection Vulnerability 8.2 High
CVE-2023-40047 WS_FTP Stored XSS Vulnerability 8.3 High
CVE-2023-40048 WS_FTP Cross-Site Request Forgery Vulnerability 6.8 Medium
CVE-2022-27665 WS_FTP Reflected XSS Vulnerability 6.1 Medium
CVE-2023-40049 WS_FTP Information Disclosure Vulnerability 5.3 Medium

Analysis

CVE-2023-40044 is a.NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP. An unauthenticated (or pre-authenticated) attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server. Successful exploitation would grant an attacker the ability to achieve remote command execution on the underlying operating system of the WS_FTP Server.

CVE-2023-42657 is a directory (or path) traversal vulnerability in WS_FTP. An authenticated, remote attacker could exploit this vulnerability to access and modify files (deleting, renaming) and folders (creating, deleting) in paths outside of authorized WS_FTP folders, as well as paths on the underlying operating system.

Concerns due to exploitation of critical flaw in Progress Software’s MOVEit Transfer

In late May, a zero-day vulnerability in Progress Software’s MOVEit Transfer secure managed file transfer (MFT) software was exploited by the CL0P ransomware group and has resulted in the compromise of over 2,000 organizations according to researchers at Emsisoft.

Because of the past exploitation of a file transfer solution from Progress Software, there is notable concern surrounding the discovery of these flaws in WS_FTP. However, based on research from Censys, there aren’t many publicly accessible WS_FTP servers with the Ad Hoc Transfer Module enabled. However, this does not mean that attackers will not target those that do have this module enabled.

Reports of in-the-wild exploitation following publication of proof-of-concept

On September 29, an exploit writer and researcher known as “MCKSys Argentina” posted details of a proof-of-concept (PoC) for CVE-2023-40044 on X (formerly known as Twitter), which includes screenshots of an HTTP POST request to a vulnerable WS_FTP Server that includes a generated deserialization payload using ysoserial.net:

Here is (are) the pic(s) PoC for CVE-2023-40044 (2 for those who need a bit more of info, like me!). https://t.co/Vm1xXS7k8g pic.twitter.com/i8ZkhxmHza

— MCKSys Argentina (@MCKSysAr) September 29, 2023

MCKSys Argentina also discovered a zero-day in MOVEit Transfer in June, identified as CVE-2023-35708.

On September 30, reports emerged that exploitation of CVE-2023-40044 had been observed in the wild.

Researchers credited with discovery share additional details

Shubham Shah, co-founder and CTO of Assetnote, one of the two researchers credited with finding CVE-2023-40044, posted that a write-up for this flaw would be shared 30 days following the release of a patch or if exploit details became available before then.

The @assetnote team recently discovered a pre-auth RCE in Progress WS_FTP, adivsory here:https://t.co/ZP1t4zfBZv

We're planning on writing up this issue after 30 days since patch release, or if details of the exploit are publicly released.

— shubs (@infosec_au) September 28, 2023

On September 30, Shah and his team published a blog post detailing the discovery of the flaw along with its own advisory.

Proof of concept

As noted above, a PoC for CVE-2023-40044 was shared on X on September 29.

Solution

Progress Software has released the following fixed versions of WS_FTP Server 2020 and 2022:

Customers are strongly encouraged to apply the patches as soon as possible.

For CVE-2023-40044, if patching is not feasible at this time, Progress Software suggests removing or disabling the Ad Hoc Transfer module if it has been enabled to mitigate the risk of exploitation.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Additionally, customers can use Plugin ID 40770, our WS_FTP Server Version Detection, to identify WS_FTP assets. Please note that this plugin requires credentials in order to return version information for assets.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang

Satnam Narang

Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).

Related Articles

  • Exposure Management
  • Vulnerability Management

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank You

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable Security Center

Formerly Tenable.sc

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Formerly Tenable.ot

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

Request a demo of Tenable Identity Exposure

Formerly Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Try Tenable Cloud Security

Formerly Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.

Contact a Sales Rep to Buy Tenable Cloud Security

Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Thank You

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

See
Tenable One
In Action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management In Action

Formerly Tenable.asm

Know the exposure of every asset on any platform.

Thank You

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.


文章来源: https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple-vulnerabilities-in-ws-ftp
如有侵权请联系:admin#unsafe.sh