WS_FTP Vulnerability Notice
Date of Notice: 10/4/2023
Action Level - Critical
Description
As part of our Edgeguard service, MCNC would like to make you aware of new threats affecting WS_FTP Server versions prior to 8.7.4 and 8.8.2. The first exploit, tracked as CVE-2023-40044, is believed to allow remote code execution. The second CVE, CVE-2023-42657, is a directory traversal vulnerability that could allow an attacker to read sensitive files and information from the filesystem.
Due to the nature and critical severity of these vulnerabilities, and their ability to impact file transfer server devices that are internal to your network, MCNC recommends patching these vulnerabilities as soon as possible.
Full information including affected versions and remediation steps can be on the Progress website for the CVE.
Affected Device
- WS_FTP Server versions prior to 8.7.4 and 8.8.2
Attack Vector
All versions of WS_FTP Server with the Ad Hoc Module installed.
Attack Feasibility
Currently there is a proof of concept performed by Shubham Shah who discovered the vulnerability. The attacker only needs to feed the WS_FTP data so that when it deserializes it the remote code is then executed.
Mitigations
The vulnerability requires the Ad Hoc Module to be exploited, therefore, disabling the Ad Hoc Transfer Module will mitigate it until you are able to update. Here is a link on how to do this.
Remediation
The remediation for this vulnerability is to update to the latest WS_FTP Server version 8.7.4 or 8.8.2. The steps for updating as well as a link to the download can be found here under Solution. If you’re unable to update then please follow the steps for mitigation.