Another Progress Software file transfer utility vulnerable

Progress Software, whose MOVEIt file transfer software was the vector for a variety of attacks earlier this year, has disclosed critical vulnerabilities in another package - and one is already being exploited.

CVE-2023-40044 was discovered by two researchers from Assetnote, Shubham Shah and Sean Yeoh.

On October 1, they wrote that Progress Software's WS_FTP package has a deserialisation vulnerability that affects "the entire Ad Hoc Transfer component" of the package.

In its advisory, Progress Software said: "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialisation vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system."

However, Shah and Yeoh claimed that "the vulnerability could be triggered without any authentication".

Assetnote said its scans revealed nearly 3000 hosts on the internet that matched the conditions for exploitation - they are running WS_FTP and they have an accessible web server, and most "belong to large enterprises, governments and educational institutions".

Progress Software disclosed a number of other vulnerabilities in its advisory, including CVE-2023-42657, a critical-rated directory traversal bug that allows attackers to perform file operations (including deleting and renaming files and directories) on locations on the underlying operating system.

In a statement sent to iTnews, Progress Software said: "We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch.

"We are not aware of any evidence that these vulnerabilities were being exploited prior to that release.

"Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers.  We are encouraging all WS_FTP server customers to patch their environments as quickly as possible."