Warning: Two critical vulnerabilities are affecting Progress Software Corporation’s WS_FTP Server
CVE-2023-40044 / 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2023-42657 / 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Sources
https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
Risques
Both vulnerabilities affecting Progress Software Corporation’s WS_FTP Server have a HIGH impact on Confidentiality, Integrity, and Availability. No user interaction is required to exploit these vulnerabilities and the attack complexity is low.
Progress Software Corporation is also behind the MOVEit Transfer secure file transfer platform which recently was affected by a critical vulnerability (CVE-2023-34362) that was massively exploited by the Clop ransomware gang, starting May 27, 2023.
IMPORTANT: Since the initial release of the vulnerability, proof-of-concept code was released with a write-up to exploit it. On 2 October 2023, CCB has been made aware that the vulnerability is now under active exploitation so it's important to patch immediately.
Description
CVE-2023-40044: Ad Hoc Transfer Module .NET Deserialization Vulnerability
A pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
CVE-2023-42657: Directory Traversal
An attacker can leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path.
Attackers can also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.
Actions recommandées
The Centre for Cybersecurity Belgium strongly recommends system administrators to visit Progress Software Corporation’s release notes pages to download and install the patched versions of this software.
Progress Software Corporation’s release notes pages:
- WS_FTP Server 2020.0.4 (8.7.4): https://docs.ipswitch.com/WS_FTP_Server2020/ReleaseNotes/index.htm
- WS_FTP Server 2022.0.2 (8.8.2): https://docs.ipswitch.com/WS_FTP_Server2022/ReleaseNotes/index.htm
A workaround is also available if patching is not possible at this point in time: https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc-Transfer-Module
Références
NIST:
CVE Record:
Bleeping Computer:
- https://www.bleepingcomputer.com/news/security/progress-warns-of-maximum-severity-ws-ftp-server-vulnerability/
- https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
Progress Software Corporation: