Pierluigi Paganini
October 02, 2023
Progress Software recently warned customers to address a critical severity vulnerability, tracked as CVE-2023-40044 (CVSS score 10), in its WS_FTP Server software which is used by thousands of IT teams worldwide. The vulnerability was discovered by researchers at the cybersecurity firm Assetnote.
“The WS_FTP team recently discovered vulnerabilities in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. All versions of WS_FTP Server are affected by these vulnerabilities.” reads the advisory from the vendor
A pre-authenticated, remote attacker could leverage a .NET deserialization issue in the Ad Hoc Transfer module to execute arbitrary commands on the underlying WS_FTP Server operating system.
“Ultimately, we discovered that the vulnerability could be triggered without any authentication, and it affected the entire Ad Hoc Transfer component of WS_FTP. It was a bit shocking that we were able to reach the deserialization sink without any authentication.” reads the advisory published by Assetnote.
The issue affects WS_FTP Server versions prior to 8.7.4 and 8.8.2.
Assetnote researchers discovered about 2.9k hosts exposed on the internet that are running WS_FTP, they also published a PoC exploit for this vulnerability.
“This vulnerability turned out to be relatively straight forward and represented a typical .NET deserialization issue that led to RCE. It’s surprising that this bug has stayed alive for so long, with the vendor stating that most versions of WS_FTP are vulnerable.” continues Assetnote. “From our analysis of WS_FTP, we found that there are about 2.9k hosts on the internet that are running WS_FTP (and also have their webserver exposed, which is necessary for exploitation). Most of these online assets belong to large enterprises, governments and educational institutions.”
Cybersecurity firm Rapid7 reported that threat actors started exploiting the CVE-2023-40044 flaw shortly after the release of the PoC code by Assetnote.
“As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild.” reads the report published by Rapid7. “In the evening hours of September 30, 2023, Rapid7 observed what appears to be exploitation of one or more recently disclosed WS_FTP vulnerabilities in multiple customer environments. Individual alerts our team responded to occurred within minutes of one another between 2023-10-01 01:38:43 UTC and 01:41:38 UTC. The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Progress Software)
