For the second time in current months, Progress Software program is requiring enterprise safety groups to drop every little thing and transfer shortly to guard their organizations towards crucial vulnerabilities in its file-transfer software program — this time, the WS_FTP file switch product utilized by some 40 million individuals.

Probably the most extreme of the bugs permits for pre-authenticated distant code execution (RCE) with none consumer interplay. As well as, the group additionally features a bug that is close to most severity and 6 which are of both excessive or medium severity. 

Information of the brand new vulnerabilities comes at the same time as hundreds of Progress prospects are reeling from a zero-day vulnerability in its MOVEit file switch expertise that the corporate disclosed in late Might. Thus far, greater than 2,100 organizations have fallen sufferer to assaults leveraging the flaw, lots of them by the Cl0p ransomware group. The newly disclosed bugs may very well be equally harmful: They have an effect on all supported variations of WS_FTP, which, like MOVEit, is enterprise-grade software program that organizations use to allow safe file transfers between methods, teams, people. 

In an emailed assertion to Darkish Studying, a spokesman from Progress stated the corporate has seen no indicators of exploit exercise focusing on any of the failings, thus far. 

“Now we have responsibly disclosed these vulnerabilities at the side of the researchers at Assetnote,” the assertion stated. “At present, we’ve not seen any indication that these vulnerabilities have been exploited. Now we have issued a repair and have inspired our prospects to carry out an improve to the patched model of our software program.”

Patch WS_FTP Now

Progress has remediated the vulnerabilities and issued version-specific hotfixes for all affected merchandise. The corporate is urging its prospects to replace instantly or apply its beneficial mitigation steps; Progress needs organizations which are utilizing unsupported variations of WS_FTP to improve to a supported and stuck model ASAP as effectively.

“Upgrading to a patched launch, utilizing the complete installer, is the one technique to remediate this challenge,” Progress stated. “There shall be an outage to the system whereas the improve is operating.”

Particularly, the vulnerabilities that Progress disclosed this week are current within the WS_FTP Server Advert hoc Switch Module and within the WS_FTP Server supervisor interface.

Vital Vulnerability Is “Simply Exploitable”

The utmost severity vulnerability tracked as CVE-2023-40044 impacts WS_FTP Server variations prior to eight.7.4 and eight.8.2, and as talked about offers attackers a technique to achieve pre-authentication RCE on affected methods. Progress described the difficulty as a .NET serialization vulnerability — a standard form of bug the place an app processes request payloads in an insecure method. Such flaws can allow denial-of-service assaults, info leaks, and RCE. Progress credited two researchers from Assetnote as discovering the failings and reporting it to the corporate.

Caitlin Condon, head of vulnerability analysis at Rapid7, says her firm’s analysis group was in a position to identification the vulnerability and take a look at its exploitability. “[Rapid 7 has] verified that it’s simply exploitable with an HTTPS POST request — and a few particular multipart information — to any URI underneath a selected path. No authentication is required, and no consumer interplay is required,” Condon says.

In a submit on X (previously Twitter) on Sept. 28, one of many Assetnote researchers introduced the corporate’s plans to launch a full write-up on the problems they found in 30 days — or if particulars of the exploit change into publicly obtainable earlier than then.

In the meantime, the opposite crucial bug is a listing traversal vulnerability, CVE-2023-42657, in WS_FTP Server variations earlier than 8.7.4 and eight.8.2. 

“An attacker might leverage this vulnerability to carry out file operations (delete, rename, rmdir, mkdir) on information and folders outdoors of their approved WS_FTP folder path,” Progress warned in its advisory. “Attackers might additionally escape the context of the WS_FTP Server file construction and carry out the identical degree of operations (delete, rename, rmdir, mkdir) on file and folder places on the underlying working system.” The bug has a CVSS rating of 9.9 out of 10, making it a close to most severity vulnerability. Listing traversal flaws, or path traversal, are vulnerabilities that mainly give attackers a technique to entry unauthorized information and directories.

Learn how to Uncover the Bugs in Progress’ File Switch

The opposite points embody two high-severity bugs (CVE-2023-40045 and CVE-2023-40047), that are cross-site scripting (XSS) vulnerabilities that allow execution of malicious JavaScript. The medium safety flaws embody CVE-2023-40048, a cross-site request forgery (CSRF) bug; and CVE-2023-40049, an info disclosure challenge, amongst others. 

“WF_FTP has a wealthy historical past and is often used amongst IT and builders,” says Timothy Morris, chief safety advisor at Tanium, including that organizations that keep a great software program stock and/or have packages to observe software program use of their atmosphere ought to have a comparatively straightforward time monitoring down and updating susceptible cases of WS_FTP.”

He provides, “Additionally, since operating variations of WS_FTP usually has incoming ports open to simply accept connection requests, it would not be troublesome to identify with community monitoring instruments.”

“I would begin with software program stock instruments to scan the atmosphere — app put in, service operating — then use file searches as a secondary technique to look and discover variations of WS_FTP, at relaxation,” he says.