Progress Fixes Critical Pre-Auth RCE Flaws in WS_FTP Server
The vulnerabilities could allow remote code execution, bypass of authorization controls, and exposure of sensitive information.
According to the advisory from Progress, the vulnerabilities exist in the WS_FTP Server Ad Hoc Transfer Module, the WS_FTP Server Manager interface, and other components.
What is a WS_FTP Server?
WS_FTP Server is a widely used FTP server software solution developed by Progress Software. It enables organizations to set up secure FTP servers on Windows, Linux, and UNIX systems to allow file transfers over the FTP protocol.
First released in 1996, WS_FTP Server is one of the longest standing and most trusted FTP solutions available today. It provides user access control, encryption, automation features, and centralized administration for efficient file sharing.
Multiple Vulnerabilities Discovered in WS_FTP Server
Remote Code Execution
The most alarming issue is CVE-2023-40044, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system. The vulnerability has been rated critical with a CVSS score of 10/10. This vulnerability in the Ad Hoc Transfer Module can be exploited to achieve remote code execution.
By sending specially crafted input to the module, an unauthenticated remote attacker could execute arbitrary system commands and take complete control of the underlying operating system. This presents an extremely serious security risk.
Directory Traversal for Unauthorized File Access
Another critical vulnerability tracked as CVE-2023-42657 enables directory traversal attacks. This could allow an attacker to manipulate paths to access, delete, or modify files outside of their authorized directories.
Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system. This jeopardizes the integrity of the entire server.
Cross-Site Scripting
Multiple cross-site scripting (XSS) flaws were also found in various WS_FTP Server components. CVE-2023-40045 affects the Ad Hoc Transfer module, while CVE-2023-40047 impacts the management module.
Attackers able to leverage these vulnerabilities could inject malicious JavaScript into web pages seen by administrators and users. An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victim's browser.
SQL Injection and Other Issues
Among the remaining vulnerabilities are SQL injection, cross-site request forgery, and information disclosure bugs. According to Progress, these could enable unauthorized access to sensitive data as well as additional attacks depending on the context.
The vulnerability identified as CVE-2023-40046 is an SQL injection vulnerability that exists in the WS_FTP Server Manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
Patch Released - Update Now
To mitigate the risk, Progress has released patched versions 8.7.4 and 8.8.2 of WS_FTP Server.
| Fixed Version | Documentation | Release Notes |
|---|---|---|
| WS_FTP Server 2020.0.4 (8.7.4) | Upgrade Documentation | WS_FTP Server 2020 |
| content_here | Upgrade Documentation | WS_FTP Server 2022 |
All customers are urged to upgrade as soon as possible. For servers running unsupported versions, Progress recommends upgrading to the latest supported release.
Administrators unable to immediately upgrade should disable or remove the Ad Hoc Transfer Module as an interim remediation step. Progress has provided instructions for accomplishing this in a knowledge-based article.
A spokesperson contacted Cyber Kendra with the following statement -
“We have responsibly disclosed these vulnerabilities in conjunction with the researchers at Assetnote. Currently, we have not seen any indication that these vulnerabilities have been exploited. We have issued a fix and have encouraged our customers to perform an upgrade to the patched version of our software. Security is of the utmost importance to us and we leverage development practices to minimize product vulnerabilities whenever possible.”
However, researchers from Assessnote have also released the technical details of RCE bug CVE-2023-40044, which can be read here.
The vulnerabilities were reported to Progress by security researchers at Assetnote and Deloitte. Progress has credited the researchers who discovered specific flaws as part of its coordinated vulnerability disclosure process.
This news underscores the importance of staying current with vendor security updates. Servers running outdated software are exposed to publicly known vulnerabilities that can often be easily exploited.
Lastly, Progress had a tough time with its MOVEit Transfer software. The zero-day flaw (CVE-2023-34362) in MOVEit Transfer is an SQL injection vulnerability that leads to remote code execution and was exploited by the cl0p ransomware gang.
We advise all WS_FTP Server administrators to implement Progress's remediations without delay.