The Vulnerability Scale of WS_FTP Bug Attacks: A Limited Impact

Report: Limited Impact of Attacks Targeting WS_FTP Server Vulnerability

Background

Last week, Progress Software disclosed a maximum-severity vulnerability in its WS_FTP Server file transfer product. The flaw, identified as CVE-2023-40044, is a .NET deserialization vulnerability that allows remote code execution. Although initial exploit activity was observed, attacks targeting the vulnerability have been relatively limited so far. However, experts warn that organizations should not delay patching the vulnerability due to the potential for widespread exploitation, as seen with a similar critical zero-day flaw in Progress’ MOVEit file transfer software in May.

The Vulnerability

CVE-2023-40044 affects all supported versions of the WS_FTP software, specifically the optional Ad Hoc Transfer module. It has a maximum severity score of 10.0 on the CVSS scale due to its ease of exploitation and the potential for unauthenticated attackers to run remote commands on the underlying operating system of the WS_FTP Server. Researchers have demonstrated that the vulnerability can be exploited using a single HTTPS POST request and specific multi-part data.

Exploit Activity

Shortly after the disclosure, proof-of-concept exploit code for CVE-2023-40044 became available from Assetnote, the company that reported the vulnerability to Progress, and other researchers. This led to some early exploit activity targeting the flaw. Rapid7, a leading security vendor, reported observing attacks exploiting one or more vulnerabilities in WS_FTP Server across multiple customer environments. The attacks showed signs of mass exploitation, and Rapid7 theorized that a single actor may be behind them. Further technical analysis by Rapid7 revealed detailed information about CVE-2023-40044 and how it was exploited.

Rapid7 Findings

Caitlin Condon, head of vulnerability research at Rapid7, stated that her company observed multiple instances of WS_FTP Server exploitation on September 30. While the activity resembled possible mass exploitation, it was fortunately limited to that day. The attacks showed consistent behavior, suggesting a single adversary was involved. Rapid7 could not definitively link the attacks to any specific WS_FTP vulnerability, but it is likely that at least some of the activity exploited CVE-2023-40044.

Huntress Labs Findings

Huntress Labs also reported observing attacks targeting CVE-2023-40044, but the number of incidents has been limited thus far. Although the attacks varied in complexity, ranging from simple DNS queries to code execution and payload installation, they appeared opportunistic in nature. John Hammond, senior security researcher at Huntress Labs, noted that WS_FTP installations within their visibility were primarily used by financial institutions and healthcare providers.

Internet Monitoring Firm’s Findings

Censys, an internet monitoring firm, conducted a search for vulnerable WS_FTP servers and found fewer instances than expected. Of the more than 4,000 Internet-accessible WS_FTP hosts, only 325 had the Ad Hoc Transfer Module enabled. Additionally, 91 hosts had already disabled the service by September 29. This suggests that the number of potentially vulnerable servers is relatively low compared to the number of systems exposed to the MOVEit vulnerability.

Security Recommendations

Progress expressed disappointment with how quickly third parties released proof-of-concept exploits for the vulnerabilities, potentially providing threat actors with a roadmap for exploitation. To mitigate the risk, organizations using WS_FTP Server should immediately apply the available patch for CVE-2023-40044 and any other disclosed vulnerabilities. It is crucial to prioritize addressing vulnerabilities and staying up-to-date with software patches to minimize the risk of exploitation.

Editorial

The limited impact of the attacks targeting the WS_FTP Server vulnerability is encouraging but should not lead to complacency. Timely patching is essential for organizations to protect their systems and data from potential exploitation. The quick release of proof-of-concept exploits underscores the need for software vendors and security researchers to collaborate closely to ensure responsible disclosure. Additionally, organizations must prioritize cybersecurity, implement strong security measures, and regularly update their software to minimize vulnerability to such attacks.