top of page

Critical CVE-2023-40044 Vulnerability in WS_FTP Server: Remote Code Execution Risk and Mitigation Steps

CVE Image for report on CVE-2023-40044

Executive Summary

CVE-2023-40044 is a critical vulnerability affecting WS_FTP Server versions prior to 8.7.4 and 8.8.2. This vulnerability, a .NET deserialization issue in the Ad Hoc Transfer module, allows a pre-authenticated attacker to execute remote commands on the underlying WS_FTP Server operating system. The vulnerability has a CVSS v3.1 Base Score of 10.0, indicating its critical nature. Immediate action is required to mitigate the risk posed by this vulnerability.

Technical Information

CVE-2023-40044 is a .NET deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP Server. This vulnerability allows a pre-authenticated attacker to execute remote commands on the underlying operating system. The vulnerability is present in WS_FTP Server versions prior to 8.7.4 and 8.8.2. The CVSS v3.1 Base Score for this vulnerability is 10.0, indicating its critical nature. The vector for this vulnerability is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which means it can be exploited remotely without any user interaction or privileges.

The vulnerability is classified under CWE-502, which refers to the deserialization of untrusted data. Deserialization vulnerabilities occur when untrusted data is used to instantiate objects, leading to the execution of arbitrary code. In the case of CVE-2023-40044, the deserialization issue is present in the Ad Hoc Transfer module of WS_FTP Server, allowing an attacker to execute remote commands on the server.

Exploitation in the Wild

CVE-2023-40044 has been actively exploited in the wild. According to the CISA Known Exploited Vulnerabilities Catalog, threat actors are leveraging this vulnerability to gain unauthorized access and execute arbitrary commands on vulnerable WS_FTP servers. Indicators of Compromise (IOCs) include unusual network traffic to and from the WS_FTP server, unexpected command execution logs, and the presence of unknown or suspicious files in the server directories.

For more information on the exploitation of CVE-2023-40044, please refer to the following resources: - CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - Rapid7 Blog Post (https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/) - Packet Storm Security (http://packetstormsecurity.com/files/174917/Progress-Software-WS_FTP-Unauthenticated-Remote-Code-Execution.html) - Metasploit Module (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb) - Assetnote Research on CVE-2023-40044 (https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044)

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2023-40044 have not been publicly identified, the critical nature of this vulnerability makes it a likely target for advanced persistent threat actors. These actors often target sectors such as finance, healthcare, and government, seeking to gain unauthorized access to sensitive systems and data.

Affected Product Versions

The following versions of WS_FTP Server are affected by CVE-2023-40044: - WS_FTP Server versions up to (excluding) 8.7.4 - WS_FTP Server versions from (including) 8.8 up to (excluding) 8.8.2

Workaround and Mitigation

To mitigate the risk posed by CVE-2023-40044, users should take the following steps: 1. Update to the Latest Version: Users should update WS_FTP Server to versions 8.7.4 or 8.8.2, which contain patches for this vulnerability. 2. Apply Vendor Mitigations: Follow the mitigation steps provided by Progress Software in their advisory. 3. Monitor for Indicators of Compromise (IOCs): Regularly monitor network traffic and system logs for any signs of exploitation attempts.

References

For further details and updates, please refer to the following resources: - CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - Rapid7 Blog Post (https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/) - Packet Storm Security (http://packetstormsecurity.com/files/174917/Progress-Software-WS_FTP-Unauthenticated-Remote-Code-Execution.html) - Metasploit Module (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb) - Assetnote Research on CVE-2023-40044 (https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044)

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive monitoring and mitigation strategies to protect your organization from vulnerabilities like CVE-2023-40044. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

1 view0 comments

Comments


bottom of page