Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw

Just days after the release of patches for a critical pre-authentication flaw in Progress Software’s WS_FTP server product, security experts have detected active exploitation in the wild against multiple target environments.

Cybersecurity vendor Rapid7 raised the alarm over the weekend after it spotted instances of live exploitation of the WS_FTP vulnerability in various customer environments.

According to Caitlin Condon, head of vulnerability research at Rapid7, the easy-to-exploit CVE-2023-40044 vulnerability is already in the crosshairs of attackers attempting mass exploitation of vulnerable WS_FTP servers.

“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers. Additionally, our MDR team has observed the same Burp Suite domain used across all incidents, which may point to a single threat actor behind the activity we’ve seen,” Condon said.

The critical-severity flaw, which carries a CVSS score of 10/10, can be triggered by attackers over the internet and affects all WS_FTP Server versions prior to 8.7.4 and 8.8.2

Assetnote, the research outfit that discovered the issue, warns that the flaw affects the entire Ad Hoc Transfer component of WS_FTP.  “It was a bit shocking that we were able to reach the deserialization sink without any authentication,” the company said in a note documenting the findings.

“The issue discovered in Progress WS_FTP was within a HTTP Module called MyFileUpload.UploadModule. This HTTP module is responsible for _all_ file uploads made within the AHT application. It was wild to see all file upload functionality being implemented inside a HTTP module, as our belief as engineers is that HTTP modules should not be responsible for file upload functionality (especially given that HTTP modules run on literally every request cycle),” Assetnote added.

Advertisement. Scroll to continue reading.

Assetnote said it found nearly 3,000 hosts on the internet that are running WS_FTP with an exposed web server and noted that most of the exposed assets belong to large enterprises, governments and educational institutions.

Progress Software’s security response team has found itself scrambling to respond to a wave of debilitating ransomware attacks that exploited zero-day flaws in its MOVEit managed file transfer software product.

Earlier this year, the company rushed out patches to cover at least three critical vulnerabilities and announced plans to release regular service packs with a “predictable, simple and transparent process for product and security fixes.”

Software vendors typically use a service pack to deliver a collection of updates, fixes, features or enhancements to an application.  Service packs are delivered in the form of a single installable package.

Related: Critical Pre-Auth Flaws in Progress Software WS_FTP Server

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: Chinese Gov Hackers Caught Hiding in Cisco Router Firmware

Related: MOVEit Customers Urged to Patch 3rd Critical Vulnerability

https://www.securityweek.com/live-exploitation-underscores-urgency-to-patch-critical-ws-ftp-server-flaw/