Progress Software has urged customers to patch a critical new vulnerability in one of its flagship file transfer software products, which could impact thousands of customers worldwide.
The software company is more famous for MOVEit, a managed file transfer offering which was recently exploited to devastating effect by the Clop ransomware gang.
However, the CVSS 10.0 vulnerability, CVE-2023-40044, is found in the firm’s WS_FTP product.
“In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system,” the advisory noted. “All versions of WS_FTP Server Ad hoc module are affected by this vulnerability.”
In fact, there are eight vulnerabilities in all addressed by the firm’s updates, impacting the WS_FTP Server Ad Hoc Transfer Module and the WS_FTP Server manager interface, two of which are critical.
The other critical bug, CVE-2023-42657, has a CVSS score of 9.9 and is a directory traversal vulnerability affecting WS_FTP Server versions prior to 8.7.4 and 8.8.2.
Read more on MOVEit: Clop Ransom Gang Breaches Big Names Via MOVEit Flaw
“An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path,” the advisory explained.
“Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.”
Callie Guenther, senior manager for cyber threat research at Critical Start, argued that the vulnerabilities required immediate attention.
“The WS_FTP Team has responded by issuing clear and detailed communication, outlining the affected versions, providing links to hotfixes, recommending an upgrade to the latest version (8.8.2), and suggesting mitigation steps for immediate action,” she added.
“However, organizations should note that remediation requires a system outage during the upgrade, necessitating effective communication and planning to minimize operational impact.”
A statement from Progress Software sent to Infosecurity had the following:
“We have responsibly disclosed these vulnerabilities in conjunction with the researchers at Assetnote. Currently, we have not seen any indication that these vulnerabilities have been exploited. We have issued a fix and have encouraged our customers to perform an upgrade to the patched version of our software. Security is of the utmost importance to us and we leverage development practices to minimize product vulnerabilities whenever possible.”