Progress Software has recently released patches to address multiple security vulnerabilities impacting the WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server Manager interface. Out of eight vulnerabilities patched in the updates, two vulnerabilities, CVE-2023-40044 and CVE-2023-42657, are rated as critical.
WinSock File Transfer Protocol, or WS_FTP, is a secure file transfer software package. The server provides advanced features, including SFTP capability, 256-bit AES encryption, SSH transfers, SCP2, and more. WS_FTP assures reliable and secure transfer of critical data.
The complete list of vulnerabilities patched in the latest version are:
- CVE-2023-40045: A reflected cross-site scripting (XSS) vulnerability in WS_FTP Server’s Ad Hoc Transfer module. The vulnerability may allow an attacker to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victim’s browser.
- CVE-2023-40046: A SQL injection vulnerability in the WS_FTP Server manager interface. Successful exploitation of the vulnerability may allow an attacker to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
- CVE-2023-40047: A stored cross-site scripting (XSS) vulnerability in WS_FTP Server’s Management module. An attacker with administrative privileges could exploit the vulnerability and import an SSL certificate with malicious attributes containing cross-site scripting payloads.
- CVE-2023-40048: A cross-site request forgery (CSRF) in the WS_FTP Server Manager interface.
- CVE-2022-27665: Reflected cross-site scripting (XSS) (via AngularJS sandbox escape expressions) in Progress Ipswitch WS_FTP Server 8.6.0. Successful exploitation of the vulnerability may lead to code execution and commands on the client due to improper handling of user-provided input.
- CVE-2023-40049: An unauthenticated user could enumerate files under the ‘WebServiceHost’ directory listing.
Security Researchers at Assetnote have released a proof-of-concept (PoC) exploit for the vulnerability.
CISA has added CVE-2023-40044 to its Known Exploited Vulnerabilities Catalog and urged users to patch it before October 26, 2023.
CVE-2023-40044
The vulnerability has been given a critical severity rating with a CVSS score of 10. This is a .NET deserialization vulnerability in the Ad Hoc Transfer module. A pre-authenticated attacker may exploit this vulnerability to perform remote code execution on the underlying WS_FTP Server operating system.
CVE-2023-42657
The vulnerability has been given a critical severity rating with a CVSS score of 9.9. This directory traversal vulnerability may allow an attacker to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations on file and folder locations on the underlying operating system.
Affected Versions
The vulnerabilities affect WS_FTP Server versions before 8.7.4 and 8.8.2.
Mitigation
Customers must upgrade to WS_FTP Server 8.7.4, 8.8.2, or later to patch the vulnerabilities. For more information, please refer to the WS_FTP Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 27395 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023