Advisory: Progress WS_FTP RCE (CVE-2023-40044)

Executive Team Note: Our coordinated disclosure policy works on a 90 day timeline where we will disclose via our website 90 days after we report to a vendor. If a patch is released prior to that time our general policy is to allow 30 days before disclosure to allow for patch uptake. However, if an exploit or PoC is publicly released independently within that timeline we will publish. In this case, there was an independent researcher on Twitter/X that publicly disclosed a PoC after the patch was released so we published our research to provide more context around the vulnerability.

‍

‍

Summary

An attacker can exploit this vulnerability without authentication, to execute arbitrary commands on the Progress WS_FTP server through the deserialization of untrusted data. An attacker must be able to access the WS_FTP web server and the Ad Hoc Transfer application in order to exploit this issue.

Impact

An attacker can execute arbitrary commands on the server running WS_FTP, without any authentication.

Affected Software

WS_FTP Server versions prior to 8.7.4 and 8.8.2

Product Description

WinSock File Transfer Protocol, or WS_FTP, is a secure file transfer software package produced by Ipswitch, Inc. Ipswitch is a Massachusetts-based software producer established in 1991 that focuses on networking and file sharing.

Solution

Upgrade to WS_FTP Server 2020.0.4 (8.7.4) or WS_FTP Server 2022.0.2 (8.8.2).

Blog Post

The blog post for this issue can be found here.

Credits

Shubham Shah - Assetnote Security Research Team

Sean Yeoh - Assetnote Engineering Lead

‍