Alert essentials:
Progress WS_FTP has been targeted and exploited in the wild by hackers. Upgrade the software version immediately to remediate.
Detailed threat description:
When network professionals think of Progress Software, the MOVEit vulnerability comes to mind. Estimated to have impacted at least 60 million individuals and thousands of businesses, CVE-2023-34362 is the most exploited weakness in 2023. However, another Progress file transfer tool has just come under attack.
WS_FTP Server versions prior to 8.7.4 and 8.8.2, have eight reported vulnerabilities. Two of these weaknesses are critical with CVE-2023-40044, a .NET deserialization vulnerability that does not require authentication receiving a perfect score of 10 on the CVSS scale.
In addition, CVE-2023-42657 is a flaw in WS_FTP Server’s Ad Hoc Transfer module and has a CVSS score of 9.9 because it does require authentication. Hackers are actively exploiting both vulnerabilities. These were addressed by version upgrades released by Progress Software in September. Log in to the download center at progress and download WS_FTP Server version 8.7.5 or 8.8.3.
Impacts on healthcare organizations
File transfer programs help move large images or multiple files through and across networks. Compromise of these programs could allow threat actors to exfiltrate large amounts of data containing sensitive data.
Affected Products / Versions
- WS_FTP Server versions prior to 8.7.4 and 8.8.2
CVE
- CVE-2023-40044
- CVE-2023-42657
- CVE-2023-40045
- CVE-2023-40046
- CVE-2023-40047
- CVE-2023-40048
- CVE-2022-27665
- CVE-2023-40049
Recommendations
Engineering recommendations:
- Upgrading to a patched release, using the full installer. This is the only way to remediate this issue.
- Note that there will be an outage to the system while the upgrade is running
- Confirm the WS_FTP version with details from the Huntress article (also listed below)
- If you are using the Ad Hoc Transfer module in the WS_FTP Server and are not able to update to a fixed version, consider disabling or removing the module
Leadership / Program recommendations:
- Many observances by Rapid7 found the same execution chain used, possibly indicating mass exploitation of vulnerable WS_FTP servers. Be sure upgrades are performed on all WS_FTP servers in the environment.
- Consider checking equipment not normally on your radar. Oftentimes these devices are critical and are not in normal scanning routines. Be sure to investigate these areas for older versions of file transfer software.
- Consider departments responsible for large file transfers, possibly images
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple- vulnerabilities-in-ws-ftp
- https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc- Transfer-Module
- https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers
- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
- https://community.progress.com/s/products-list
- Find WS_FTP version: https://community.progress.com/s/article/How-can-I-find-the-version-of-WS- FTP-that-I-m-using
- Indicators of Compromise: https://www.huntress.com/blog/critical-vulnerabilities-ws_ftp-exploitation