Progress Software WS_FTP Server Vulnerability Exploited After Release of PoC Code
Last week, Progress Software issued a security advisory about 8 vulnerabilities that had been discovered in WS_FTP Server, and customers were advised to update to the latest version immediately to prevent exploitation. Prompt patching of known vulnerabilities is vital and the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer application in May, and the earlier mass exploitation of zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution should have put users on alert that these vulnerabilities are popular targets for cyber threat actors.
Progress Software issued an alert about the vulnerabilities on September 27, 2023, and urged all customers to update to WS_FTP Server 8.8.2, which was patched against all 8 vulnerabilities, or to at least disable or remove the Ad Hoc Transfer module that was affected by the vulnerabilities. The first exploits of the vulnerabilities were detected by researchers at Rapid7 on Saturday, three days after the patches were released. Rapid8 said it detected exploits of one of the vulnerabilities in multiple customer environments but did not detect any data exfiltration and said, for the time being at least, the incidents appear to have been contained.
Any customer that uses WS_FTP Server should ensure that the updates are applied immediately to prevent exploitation of the flaws, two of which are critical and allow an attacker to execute remote commands on the underlying WS_FTP Server operating system (CVE-2023-40044), and perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path, and perform the same functions on the underlying operating system (CVE-2023-42657).
The rapid exploitation of the vulnerabilities appears to have been facilitated by the release of proof-of-concept (PoC) exploit code for the CVE-2023-40044 vulnerability on Friday, just two days after the vulnerabilities were disclosed and patches were released, guaranteeing the vulnerability would be exploited before many customers had time to update to the latest version. “We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch,” a spokesperson for Progress Software told The HIPAA Journal.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This is the very reason why it is vital to have responsible disclosures – to give users time to apply the patches and secure their systems. In the case of the WS_FTP Server flaws, updating to the latest version would involve a temporary loss of service during the updating process, which for many customers would mean the update would need to be planned.
“We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible,” said the spokesperson. “The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors,” said the spokesperson.
