What is the Vulnerability in WS_FTP Server ?
CVE-2023-40044, WS_FTP's Ad Hoc Transfer module's a .NET deserialization vulnerability. An unauthenticated (or previously authenticated) attacker could exploit this by sending a specially crafted POST request, enabling them to execute remote commands on a vulnerable WS_FTP Server.
CVE-2023-42657, on the other hand, is a directory (or path) traversal vulnerability in WS_FTP. An authenticated remote attacker could exploit this to access and modify files (deleting, renaming) and folders (creating, deleting) outside of authorized WS_FTP folders, as well as paths on the underlying operating system.
So, What Did This Vulnerability Lead To?
Towards the end of May, a zero-day vulnerability in Progress Software's MOVEit Transfer secure managed file transfer (MFT) software was exploited by the CL0P ransomware group, putting over 2,000 organizations at risk according to Emsisoft researchers.
Reports of in-the-wild exploitation following the publication of the proof-of-concept
On September 29, an exploit writer and researcher known as "MCKSys Argentina" shared details of a proof-of-concept (PoC) for CVE-2023-40044 on X (formerly known as Twitter). This includes screenshots of an HTTP POST request to a vulnerable WS_FTP Server and features a deserialization payload generated using ysoserial.net.
Shubham Shah, co-founder and CTO of Assetnote, one of the two researchers credited with the discovery of CVE-2023-40044, stated that a write-up for this vulnerability would be shared within 30 days after the release of the patch or earlier if exploitation details become available.
What is the Solution?
Progress Software has released the following fixed versions for WS_FTP Server 2020 and 2022:
| Product | Fixed Version |
|---|---|
| WS_FTP Server 2020 | 2020.0.4 (8.7.4) |
| WS_FTP Server 2022 | 2022.0.2 (8.8.2) |
Resources and Source Tables
| CVE | Description | Vendor Assigned CVSSv3 | VPR* | Severity |
|---|---|---|---|---|
| CVE-2023-40044 | WS_FTP .NET Deserialization Vulnerability in Ad Hoc Transfer Module | 10.0 | 9.2 | Critical |
| CVE-2023-42657 | WS_FTP Directory Traversal Vulnerability | 9.9 | 7.1 | Critical |
| CVE | Description | Vendor Assigned CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-40045 | WS_FTP Reflected Cross-Site Scripting (XSS) Vulnerability | 8.3 | High |
| CVE-2023-40046 | WS_FTP SQL Injection Vulnerability | 8.2 | High |
| CVE-2023-40047 | WS_FTP Stored XSS Vulnerability | 8.3 | High |
| CVE-2023-40048 | WS_FTP Cross-Site Request Forgery Vulnerability | 6.8 | Medium |
| CVE-2022-27665 | WS_FTP Reflected XSS Vulnerability | 6.1 | Medium |
| CVE-2023-40049 | WS_FTP Information Disclosure Vulnerability | 5.3 | Medium |
