Analytics Story: WS FTP Server Critical Vulnerabilities
Description
A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.
Why it matters
Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Powershell Installed IIS Modules |  Windows |
Pwsh:InstalledIISModules |
powershell://AppCmdModules |
| Suricata | N/A | suricata |
suricata |
| Sysmon EventID 1 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
- https://www.cve.org/CVERecord?id=CVE-2023-40044
- https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
- https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html
Source: GitHub | Version: 1