Exploit Available for Critical WS_FTP Bug Exploited in Attacks

Cyber Security Threat Summary:
Over the weekend, security researchers uncovered a critical vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server. They released a proof-of-concept (PoC) exploit along with technical details. The flaw stems from a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to execute remote commands via a simple HTTP request. Assetnote researchers, who discovered the issue, expressed surprise at how long it remained unpatched.

Their Analysis revealed approximately 2,900 internet-exposed WS_FTP instances, primarily belonging to large enterprises, governments, and educational institutions. Shodan search confirmed this finding. Shortly after the PoC release, attackers began exploiting CVE-2023-40044, according to cybersecurity company Rapid7. They noted a consistent execution chain and indicated possible mass exploitation by a single threat actor. Progress Software had released security updates to address the vulnerability earlier.

Security Officer Comments:
In cases where companies cannot promptly apply server patches, they are recommended to deactivate the susceptible WS_FTP Server Ad Hoc Transfer Module. Additionally, the Health Sector Cybersecurity Coordination Center has issued a strong recommendation for healthcare and public health sector organizations to swiftly implement server patches. It's worth noting that Progress Software had previously experienced data theft incidents due to attacks exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. These incidents impacted numerous organizations and affected millions of individuals.

Suggested Correction(s):
Organizations often rely on software like this to move databases and mission-critical data between systems and third-party organizations with whom they conduct business. This requires them to expose these systems to the internet, making them accessible to external parties. Consequently, when these systems are vulnerable, they are more likely to be targeted by malicious actors seeking to exploit any weaknesses for unauthorized access or data breaches. Therefore, robust security measures and prompt software updates are crucial to protect against potential threats and ensure the safe exchange of sensitive information.

To find more information, please refer to the vendor's community webpage, which contains additional details available at this link: https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023