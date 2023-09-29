Progress Software has released Urgent fixes for a critical security vulnerability, along with seven other flaws, in the Ad Hoc Transfer module of WS_FTP Server and the manager interface of WS_FTP Server which is a popular FTP (File Transfer Protocol) client software used to transfer files from a computer to a remote server on the Internet or a local network.

The 7 problems of WS_FTP

Identified as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are affected by this flaw.

“In versions of the WS_FTP Server prior to 8.7.4 and 8.8.2, a previously authenticated attacker could exploit a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying operating system of the WS_FTP Server,” has declared the company in a notice.

Assetnote security researchers Shubham Shah and Sean Yeoh were credited with discovering and reporting the vulnerability.

Here is the list of other flaws affecting versions of the WS_FTP Server prior to 8.8.2:

CVE-2023-42657 (CVSS score: 9.9) – A directory traversal vulnerability that could be exploited to perform file operations. CVE-2023-40045 (CVSS score: 8.3) – A reflected cross-site scripting (XSS) vulnerability in the Ad Hoc Transfer module of the WS_FTP Server that could be exploited to execute malicious JavaScript code in the context of the victim’s browser. CVE-2023-40047 (CVSS score: 8.3) – A stored cross-site scripting (XSS) vulnerability exists in the WS_FTP Server Management module that could be exploited by an attacker with administrator privileges to import an SSL certificate with malicious attributes containing XSS payloads that they could then be activated in the victim’s browser. CVE-2023-40046 (CVSS score: 8.2) – An SQL injection vulnerability in the WS_FTP Server manager interface that could be exploited to infer information stored in the database and execute SQL statements that alter or delete its contents. CVE-2023-40048 (CVSS score: 6.8) – A cross-site request forgery (CSRF) vulnerability in the WS_FTP Server Manager interface. CVE-2022-27665 (CVSS score: 6.1) – A reflected cross-site scripting (XSS) vulnerability in Progress Ipswitch WS_FTP Server 8.6.0 that can lead to malicious code and command execution on the client. CVE-2023-40049 (CVSS score: 5.3) – An authentication bypass vulnerability that allows users to enumerate files in the ‘WebServiceHost’ directory listing.

With security flaws in Progress Software becoming an attractive target for ransomware groups like Cl0p, it is essential that users move quickly to apply the latest patches in order to contain potential threats.

Meanwhile, the company is still dealing with the fallout from the large cyberattack targeting its secure file transfer platform MOVEit Transfer since May 2023. According to Emsisoft, it is estimated that more than 2,100 organizations and over 62 million individuals were affected.

Conclusion

Importantly, software vulnerabilities, such as those discovered in Progress Software’s WS_FTP Server, pose a serious threat to the security of enterprise data and systems. Businesses and users should take seriously the need to promptly apply available fixes and updates to protect their systems from potential cyber attacks.

The situation highlights how crucial collaboration between independent security researchers and software development companies is. Researchers who discover and report these vulnerabilities play a critical role in improving digital security and preventing cybercriminals from exploiting them for malicious purposes.

Companies must be prepared to respond promptly and responsibly to reports of vulnerabilities, providing fixes and updates to protect the end user.