This is an advisory only and is not a notification of activity being seen on your network. This advisory is for organizations that use WS-FTP Server to support secure file transfer capabilities. If your organization does not use this platform, this notification may be discarded.
Summary
Progress Software has released hotfixes for its Enterprise WS_FTP server platform to address several vulnerabilities. The most serious of these vulnerabilities, CVE-2023-40044, could allow an unauthenticated, remote attacker to exploit a .NET deserialization vulnerability present in the Ad Hoc Transfer Module to execute remote commands on the underlying WS-FTP Server’s operating system. A second critical vulnerability, CVE-2023-42657, could allow an attacker to perform file operations on files and folders outside of their authorized WS-FTP folder path or on the underlying operating system.
Critical Vulnerabilities
CVE-2023-40044 – Remote Code Execution .NET deserialization vulnerability
CVSSv3: 10.0
CVE-2023-42657 – Directory Traversal Vulnerability
CVSSv3: 9.9
Other Vulnerabilities
CVE-2023-40045
CVSSv3: 8.3
CVE-2023-40046
CVSSv3: 8.2
CVE-2023-40047
CVSSv3: 8.3
CVE-2023-40048
CVSSv3: 6.8
CVE-2023-27665
CVSSv3: 6.1
CVE-2023-40049
CVSSv3: 5.3
Affected Versions
- All versions prior to WS_FTP Server 2020.0.4 (8.7.4)
- All versions prior to WS_FTP Server 2022.0.2 (8.8.2)
Mitigations
- Upgrade to WS_FTP Server 2020.0.4 (8.7.4)
- Upgrade to WS_FTP Server 2022.0.2 (8.8.2)
If the Ad Hoc Module IS installed and you are unable to patch, the Ad Hoc Transfer Module may be disabled if it is not in use.
https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc-Transfer-Module
Additional Resources
https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
https://www.bleepingcomputer.com/news/security/progress-warns-of-maximum-severity-ws-ftp-server-vulnerability/
