Bugs Found in Another Progress Software File Transfer AppExpert Warns of Maximum-Severity Flaw, Says 'You Need to Patch Right Now!'
Progress Software has again sent customers on a scramble to hurriedly install emergency patches, this time for its secure FTP server software. A Wednesday patch advisory comes just months after hackers took advantage of a zero-day in the Massachusetts company's popular MOVEit file transfer software in a hacking campaign affecting tens of millions of individuals across the globe.
The advisory says all versions of the WS_FTP Server are affected by a set of eight newly disclosed flaws and tells customers using no-longer-supported versions to upgrade. The company said that "thousands of IT teams" depend on its file transfer protocol application.
The most severe bug, tracked as CVE-2023-40044, allows an unauthenticated attacker to execute remote commands on the underlying operating system through an attack that converts a hypertext transfer protocol message into a malicious object, a technique known as deserialization. The company assigns the vulnerability a CVSS score of 10, the maximum possible.
"There's a 10-out-10 severity bug you need to patch right now!" tweeted Sophos' Paul Ducklin. "Even if you aren't running WS_FTP yourself, but you have a third party who does, e.g. for payroll, check that they've patched … remember MoveIT?"
Progress Software credits Assetnote for the discovery. The Australian cybersecurity firm said it will disclose more information a month from now "or if details of the exploit are publicly released." Massachusetts cybersecurity firm Rapid7 said it had tested the vulnerabilities but "is not aware of any exploitation in the wild as of September 29, 2023."
"The vulnerability is trivially exploitable and allows an unauthenticated attacker to achieve remote code execution on the target system," Caitlin Condon, Rapid7 head of vulnerability research, told Information Security Media Group.
The bundle of emergency patches also includes a second critical bug, tracked as CVE-2023-42657, which carries a CVSS score of 9.9. The flaw is a directory traversal vulnerability that allows attackers to perform file operations such as deletion outside their authorized folder path or on files in the underlying operating system.
The advisory also fixed three flaws rated as high. CVE-2023-40045 affects WS_FTP Server's Ad Hoc Transfer module; CVE-2023-40046 affects WS_FTP Server manager interface; and CVE-2023-40047 affects WS_FTP Server's Management module.
Progress Software is still dealing with the aftermath of a mass hacking campaign of its products that began on May 27 when the Russian-speaking Clop ransomware operation exploited a zero-day vulnerability in MOVEit. Experts tracking the data theft campaign now say more than 2,000 organizations directly or indirectly fell victim.
The attack does not appear to have affected the publicly traded company financially, CEO Yogesh Gupta said Tuesday during an earnings call, reported Cybersecurity Dive. A quarterly report filed with federal regulators in July said that MOVEit products accounted for only approximately 4% of company revenue during the first half of this year.
With reporting by Information Security Media Group's David Perera in Washington, D.C.