On 27 September 2023, Progress Software released a security advisory detailing multiple vulnerabilities in their WS_FTP Server product, including two with a critical severity rating. CVE-2023-40044 (CVSS 10) is a deserialisation vulnerability that affects the Ad Hoc Transfer module and could allow a threat actor to obtain remote code execution if successfully exploited. CVE-2023-42657 (CVSS 9.9) is a directory traversal vulnerability that could allow a threat actor to escape the context of the WS_FTP Server file structure and perform file operations on file and folder locations on the underlying operating system. Threat actors could also do the same on files and folders outside authorised WS_FTP folder paths.
Note: The Ad Hoc Transfer Module affected by CVE-2023-40044 is installed as part of a standard installation but can be removed or disabled to prevent exploitation.
The vulnerabilities were discovered by the WS_FTP team or responsibly disclosed to Progress and have not been actively exploited; we have not observed a public proof of concept (PoC) exploit published for either vulnerability. Historically, threat actors have not exploited Progress’ WS_FTP Server. However, Cl0p threat actors recently leveraged an SQL injection vulnerability in Progress’ MOVEit Transfer product to exfiltrate data and extort compromised organisations. Based on the potential for remote code execution, prevalence of WS_FTP, the ease of exploitation, and the sensitivity of data stored on an FTP server, we assess threat actors will likely develop a working PoC exploit within the near term.
Recommendations for CVE-2023-40044, CVE-2023-42657
Apply the Latest Security Patches Released by Progress
Progress Software has provided security patches for supported versions to resolve the vulnerabilities. We highly recommend applying the latest security patches to prevent potential exploitation. Progress Software recommends upgrading to the highest version which is 8.8.2.
If your version of WS_FTP is no longer supported, we highly recommend upgrading to a supported and fixed version. Supported versions and the WS_FTP product support lifecycle can be found here: https://community.progress.com/s/products/ws-ftp/product-lifecycle
|WS_FTP Server 2020
|Versions prior to 8.7.4
|WS_FTP Server 2022
|Versions prior to 8.8.2
Please follow your organisations patching and testing guidelines to avoid operational impact.
Workaround: Disable or Remove the WS_FTP Server Ad Hoc Transfer Module
This does not remediate CVE-2023-42657
If applying the latest security patch is not feasible, consider disabling or removing the WS_FTP Server Ad Hoc Transfer Module to prevent successful exploitation of CVE-2023-40044. Progress has provided documentation to do this here: https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc-Transfer-Module .