[CDP-development] TLP:GREEN (Vulnerability Alert Notification) Progress Software WS_FTP Server Critical Vulnerabilities CVE-2023-40044 and CVE-2023-42657

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Fri Sep 29 09:31:29 PDT 2023 

Good morning,

The SOC Services team is reporting on two specific vulnerabilities recently disclosed from Progress Software: CVE-2023-40044 WS_FTP Server Ad Hoc Transfer Module .NET Deserialization Vulnerability and CVE-2023-42657 WS_FTP Server Directory Traversal.  Due to its high visibility, knowledge of the software installed in the state environment, and out of an abundance of caution we are providing this in-depth information:

History: On September 28, 2023, Progress Software released updates to patch WS_FTP Server (also known as Ipswitch WS_FTP Server), addressing eight security flaws in total.  Out of the eight flaws, two in particular are rated as critical.  CVE-2023-40044 was established on September 27, 2023, and is a .NET deserialization vulnerability currently assigned a CVSSv3 rating of 10.0 (Critical).  CVE-2023-42657 was established on September 27, 2023, and is a directory traversal vulnerability currently assigned a CVSSv3 rating of 9.9 (Critical).  Three other CVEs addressed in the security release are assigned with CVSSv3 ratings of High, and three more CVEs addressed are assigned CVSSv3 ratings of Medium.

The following products are affected:

  *   Progress WS_FTP Server 2022 from version 8.8.0 to versions prior to 8.8.2
  *   Progress WS_FTP Server 2020 from version 8.7.0 to versions prior to 8.7.4

Patches are available from Progress to fix the vulnerabilities.  The fixed versions are:

  *   Progress WS_FTP Server 2022 8.8.2
  *   Progress WS_FTP Server 2020 8.7.4

Further information is available from SOURCE as published in ARTICLE:

  *   Progress Software bulletin  - https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023


Intelligence: As of September 28, 2023, no known exploits have been utilized against the vulnerabilities.  However, given the attention by threat actors to previous vulnerabilities in Progress software, it is very likely that the vulnerabilities will be targeted and exploited in the near future.

Workarounds:  The only workaround is applicable to CVE-2023-40044, in which the WS_FTP Server Ad Hoc Transfer Module must be removed or disabled in lieu of installing the provided update.  To remove or disable the module, documentation has been provided by Progress at https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc-Transfer-Module

No other workarounds have been provided for the other seven CVEs identified.

How it works:  There is no public information about how the vulnerabilities are exploited at this time.

Post-Exploit:

CVE-2023-40044 could allow a pre-authenticated attacker to leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.  By exploiting the vulnerability, an attacker may modify deserialized data to possibly perform unauthorized actions.

CVE-2023-42657 could allow an attacker to escape the context of the WS_FTP Server file structure and perform the same level of operations on file or folder locations on the underlying operating system.  As a result an attacker could then view or modify critical files on the system.

Progress has noted that both CVEs can be exploited in low-complexity attacks that do not require user interaction.

No known indicators of compromise have been publicly shared at this time.

As of September 28, 2023, there are no plugins released by Tenable for detecting the vulnerabilities.
Recommended Actions:


  *   Enable logging.
  *   Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
  *   Maintain good cyber hygiene and follow vendor patching recommendations.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230929/949ebbfe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230929/949ebbfe/attachment-0001.png>

More information about the CDP-development mailing list