For the second time in recent months, Progress Software is requiring enterprise security teams to drop everything and move quickly to protect their organizations against critical vulnerabilities in its file-transfer software — this time, the WS_FTP file transfer product used by some 40 million people.
The most severe of the bugs allows for pre-authenticated remote code execution (RCE) without any user interaction. In addition, the group also includes a bug that’s near maximum severity and six that are of either high or medium severity.
News of the new vulnerabilities comes even as thousands of Progress customers are reeling from a zero-day vulnerability in its MOVEit file transfer technology that the company disclosed in late May. So far, more than 2,100 organizations have fallen victim to attacks leveraging the flaw, many of them by the Cl0p ransomware group. The newly disclosed bugs could be similarly dangerous: They affect all supported versions of WS_FTP, which, like MOVEit, is enterprise-grade software that organizations use to enable secure file transfers between systems, groups, individuals.
In an emailed statement to Dark Reading, a spokesman from Progress said the company has seen no signs of exploit activity targeting any of the flaws, so far.
“We have responsibly disclosed these vulnerabilities in conjunction with the researchers at Assetnote,” the statement said. “Currently, we have not seen any indication that these vulnerabilities have been exploited. We have issued a fix and have encouraged our customers to perform an upgrade to the patched version of our software.”
Patch WS_FTP Now
Progress has remediated the vulnerabilities and issued version-specific hotfixes for all affected products. The company is urging its customers to update immediately or apply its recommended mitigation steps; Progress wants organizations that are using unsupported versions of WS_FTP to upgrade to a supported and fixed version ASAP as well.
“Upgrading to a patched release, using the full installer, is the only way to remediate this issue,” Progress said. “There will be an outage to the system while the upgrade is running.”
Specifically, the vulnerabilities that Progress disclosed this week are present in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface.
Critical Vulnerability Is “Easily Exploitable”
The maximum severity vulnerability tracked as CVE-2023-40044 affects WS_FTP Server versions prior to 8.7.4 and 8.8.2, and as mentioned gives attackers a way to gain pre-authentication RCE on affected systems. Progress described the issue as a .NET serialization vulnerability — a common kind of bug where an app processes request payloads in an insecure manner. Such flaws can enable denial-of-service attacks, information leaks, and RCE. Progress credited two researchers from Assetnote as discovering the flaws and reporting it to the company.
Caitlin Condon, head of vulnerability research at Rapid7, says her company’s research team was able to identity the vulnerability and test its exploitability. “[Rapid 7 has] verified that it is easily exploitable with an HTTPS POST request — and some specific multipart data — to any URI under a specific path. No authentication is required, and no user interaction is required,” Condon says.
In a post on X (formerly Twitter) on Sept. 28, one of the Assetnote researchers announced the company’s plans to release a full write-up on the issues they discovered in 30 days — or if details of the exploit become publicly available before then.
Meanwhile, the other critical bug is a directory traversal vulnerability, CVE-2023-42657, in WS_FTP Server versions before 8.7.4 and 8.8.2.
“An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path,” Progress warned in its advisory. “Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.” The bug has a CVSS score of 9.9 out of 10, making it a near maximum severity vulnerability. Directory traversal flaws, or path traversal, are vulnerabilities that basically give attackers a way to access unauthorized files and directories.
How to Uncover the Bugs in Progress’ File Transfer
The other issues include two high-severity bugs (CVE-2023-40045 and CVE-2023-40047), which are cross-site scripting (XSS) vulnerabilities that enable execution of malicious JavaScript. The medium security flaws include CVE-2023-40048, a cross-site request forgery (CSRF) bug; and CVE-2023-40049, an information disclosure issue, among others.
“WF_FTP has a rich history and is typically used among IT and developers,” says Timothy Morris, chief security advisor at Tanium, adding that organizations that maintain a good software inventory and/or have programs to monitor software use in their environment should have a relatively easy time tracking down and updating vulnerable instances of WS_FTP.”
He adds, “Also, since running versions of WS_FTP typically has incoming ports open to accept connection requests, it wouldn’t be difficult to spot with network monitoring tools.”
“I’d start with software inventory tools to scan the environment — app installed, service running — then use file searches as a secondary method to search and find versions of WS_FTP, at rest,” he says.