Progress Software, the maker of the MOVEit Transfer app that has been targeted by attackers for several months, is warning customers about a critical vulnerability in its WS_FTP Server product that can allow arbitrary remote code execution.
The vulnerability (CVE-2023-40044) is a deserialization bug in the Ad Hoc Transfer module in WS_FTP Server, a secure file transfer product. The flaw affects all versions of the server and can be exploited without authentication.
“In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system,” the advisory says.
The Ad Hoc Transfer module is part of the default installation for the WS_FTP Server, so unless it is explicitly disabled by the customer, the installation is vulnerable to this bug.
Progress has released updates to fix this vulnerability, along with several others that have been discovered in the WS_FTP Server. Among the other bugs fixed in the new release is a critical directory traversal vulnerability (CVE-2023-42657).
“An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system,” the advisory says.
There are three high-severity and three medium-severity bugs also fixed in this new release, including a reflected XSS vulnerability in the Ad Hoc Transfer module.
All organizations running a vulnerable version of the WS_FTP Server product should update as soon as possible.
Progress customers are still dealing with the fallout of attacks on a vulnerability in the MOVEit file transfer app that was disclosed in June. That vulnerability was exploited as a zero day, and the Cl0p ransomware group was among the actors targeting it. Thousands of companies have been affected by attacks on the vulnerability (CVE-2023-34362), and there likely will be further downstream effects in the coming months.