CVE-2023-40044, CVE-2023-42657: Two Critical Vulnerabilities Impacting Progress WS_FTP Server

Share :

On 27 September 2023, Progress Software released a security advisory detailing multiple vulnerabilities in their WS_FTP Server product, including two with a critical severity rating. CVE-2023-40044 (CVSS 10) is a deserialisation vulnerability that affects the Ad Hoc Transfer module and could allow a threat actor to obtain remote code execution if successfully exploited. CVE-2023-42657 (CVSS 9.9) is a directory traversal vulnerability that could allow a threat actor to escape the context of the WS_FTP Server file structure and perform file operations on file and folder locations on the underlying operating system. Threat actors could also do the same on files and folders outside authorised WS_FTP folder paths. 

Note: The Ad Hoc Transfer Module affected by CVE-2023-40044 is installed as part of a standard installation but can be removed or disabled to prevent exploitation.  

The vulnerabilities were discovered by the WS_FTP team or responsibly disclosed to Progress and have not been actively exploited; we have not observed a public proof of concept (PoC) exploit published for either vulnerability. Historically, threat actors have not exploited Progress’ WS_FTP Server. However, Cl0p threat actors recently leveraged an SQL injection vulnerability in Progress’ MOVEit Transfer product to exfiltrate data and extort compromised organisations. Based on the potential for remote code execution, prevalence of WS_FTP, the ease of exploitation, and the sensitivity of data stored on an FTP server, we assess threat actors will likely develop a working PoC exploit within the near term.  

Recommendations for CVE-2023-40044, CVE-2023-42657

Apply the Latest Security Patches Released by Progress 

Progress Software has provided security patches for supported versions to resolve the vulnerabilities. We highly recommend applying the latest security patches to prevent potential exploitation. Progress Software recommends upgrading to the highest version which is 8.8.2. 

If your version of WS_FTP is no longer supported, we highly recommend upgrading to a supported and fixed version. Supported versions and the WS_FTP product support lifecycle can be found here: https://community.progress.com/s/products/ws-ftp/product-lifecycle  

 

Product  Vulnerable Version  Fixed Version 
WS_FTP Server 2020  Versions prior to 8.7.4  8.7.4 
WS_FTP Server 2022  Versions prior to 8.8.2  8.8.2 

 

Please follow your organisations patching and testing guidelines to avoid operational impact. 

Workaround: Disable or Remove the WS_FTP Server Ad Hoc Transfer Module 

This does not remediate CVE-2023-42657 

If applying the latest security patch is not feasible, consider disabling or removing the WS_FTP Server Ad Hoc Transfer Module to prevent successful exploitation of CVE-2023-40044. Progress has provided documentation to do this here: https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc-Transfer-Module . 

References 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories