Sunday 15th October 2023
Summary:
CVE-2023-42657 is a critical vulnerability in WS_FTP Server, a file transfer software developed by Progress Software. It is a directory traversal vulnerability that allows an attacker to access and modify files and folders outside of their authorised WS_FTP folder path, as well as on the underlying operating system. It affects WS_FTP Server versions prior to 8.7.4 and 8.8.21, which means it is very severe and can cause high impact on the confidentiality, integrity and availability of the system.
Severity:
CVSS score
9.9
Analyst Assessment:
The attackers may use these techniques to delete, rename, create or modify files and folders on the server or the operating system, which could lead to data loss, corruption, or encryption by ransomware. They may also use the compromised server as a foothold to launch further attacks on the network.
This vulnerability is being exploited in the wild by ransomware hackers who can access and modify files and folders outside of their authorized WS_FTP folder path, as well as on the underlying operating system.
Some of the reported attack vectors include:
Observation:
In all WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.
Issue Correction:
Progress Software has released security updates to address this vulnerability, as well as other vulnerabilities found in WS_FTP Server. Users are advised to apply the updates as soon as possible to prevent potential exploitation by malicious actors. You can find more information about the updates and how to install them on the Progress website.
Customers should make sure they only download the patch from our knowledge base and not from any third-party sites.
Upgrading to a patched release, using the full installer, is the only way to remediate this issue.
Caveat:
This is based on current, limited knowledge, which should be further investigated and checked, before being applied to your systems.
Sources:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42657
NVD - CVE-2023-42657 (nist.gov)
Progress Issues Security Update for Critical Vulnerabilities in WS_FTP Server - NHS Digital
WS_FTP - Secure FTP Server and Client Software - Progress
Want to keep informed? Sign up to our Newsletter