Critical vulnerability in WS_FTP Server exploited by attackers (CVE-2023-40044)

Progress Software, the company behind the recently hacked MOVEit file-sharing tool, has recently fixed two critical vulnerabilities (CVE-2023-40044, CVE-2023-42657) in WS_FTP Server, another popular secure file transfer solution.

Proof-of-concept code for CVE-2023-40044 has been available since Friday, and Rapid7 researchers have observed multiple instances of WS_FTP exploitation in the wild, with two different attack chains.

The exploited vulnerability (CVE-2023-40044) and the update

CVE-2023-40044 is a .NET deserialization vulnerability that could allow an unauthenticated threat actor to execute remote commands on the underlying WS_FTP Server operating system, and can be exploited via a HTTPS POST request.

CVE-2023-42657 is a directory traversal vulnerability that could allow a threat actor to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path.

Both vulnerabilities affect versions prior to 8.7.4 and 8.8.2 and an upgrade to the fixed versions is strongly recommended.

“Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running,” Progress added. If updating is impossible, the risk of exploitation can be mitigated by removing or disabling the WS_FTP Server Ad hoc Transfer Module.

“[CVE-2023-40044] turned out to be relatively straight forward and represented a typical .NET deserialization issue that led to RCE. It’s surprising that this bug has stayed alive for so long, with the vendor stating that most versions of WS_FTP are vulnerable,” explained Assetnote researchers, who discovered and reported the vulnerability, and published technical details and a PoC exploit.

“From our analysis of WS_FTP, we found that there are about 2.9k hosts on the internet that are running WS_FTP (and also have their webserver exposed, which is necessary for exploitation). Most of these online assets belong to large enterprises, governments and educational institutions.”

Rapid7 has shared indicators of compromise that enterprise defenders can look for to establish whether their organization has been hit.

With this latest WS_FTP Server update, Progress has fixed six additional high and medium severity vulnerabilities.

Among them is also a reflected cross-site scripting vulnerability (CVE-2023-40045) in the Ad Hoc Transfer module, which could be exploited to target WS_FTP Server users with a specialized payload to execute malicious JavaScript within the context of the victim’s browser.

File transfer tools are a popular target for ransomware gangs

The number of organizations affected by Cl0p gang’s MOVEit hack has exceeded 2000, with the number of individual victims surpassing 60 million.

Cl0p has previously exploited vulnerabilities in Accellion’s FTA and Fortra’s GoAnywhere file transfer products to steal data from targets.

UPDATE (October 3, 2023, 02:50 a.m. ET):

“We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch,” a Progress spokesperson told Help Net Security.

“We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.”