Security Update for WS_FTP Server Customers

On September 27, 2023, WS_FTP Server customers were notified and provided a patch that addressed several vulnerabilities in WS_FTP Server in WS_FTP Server Ad hoc Transfer Module, WS_FTP Server's SSH module and in the WS_FTP Server. All versions of WS_FTP Server are affected and full CVE details are included below.

We encourage all WS_FTP Server customers to immediately apply the patch released on September 27 to harden their environments.

This series of vulnerabilities was discovered by internal WS_FTP engineers in conjunction with the cybersecurity researchers and experts at Assetnote, who abided by their responsible reporting policies. We are thankful for the partnership with them and the larger cybersecurity community who are diligently working to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. 

While we are not aware of any evidence that these vulnerabilities were being exploited prior to the release of the patch, we have learned that a proof of concept (POC), reverse-engineered from our initial vulnerability disclosure and patch, has been posted publicly by an unauthorized third-party. This provides threat actors with a roadmap on how to exploit the vulnerabilities and attempt attacks against our customers that have not yet deployed the patch. For customers who have yet to deploy the patch, please refer to this knowledge base article for details and the actions required. The patched release, using the full installer, is the only way to remediate this issue.

Our customers have been and will continue to be our top priority. We continue to work with them and responsible third-party research experts to discover, properly disclose and remediate any issues. As a community, we need to continue to discourage the irresponsible publication of POCs rapidly following the release of software patches by individuals looking for personal gain or notoriety.

If customers have questions related to this issue, please log in to open a new Technical Support case in our customer community for assistance or reach out to your implementation partner. We are now working with the security community to determine any indicators of compromise and will also post updates to the knowledge base article, as needed. If you find vulnerabilities in any of our software, we ask that you responsibly report them by reaching out directly to us. To submit a vulnerability, please go to https://www.progress.com/security/vulnerability-reporting-policy.

Details on Vulnerabilities in WS_FTP & Potential Impact:

CVE-2023-40044: https://www.cve.org/CVERecord?id=CVE-2023-40044

• In all WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

CVE-2023-42657: https://www.cve.org/CVERecord?id=CVE-2023-42657

• In all WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.

CVE-2023-40046: https://www.cve.org/CVERecord?id=CVE-2023-40046

• In all WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.    

CVE-2023-40045: https://www.cve.org/CVERecord?id=CVE-2023-40045

• In all WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module.  An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victim's browser.  

Steps to Apply the Patch:

If a WS_FTP customer has not yet applied the patch it is essential that they do so as soon as possible by following the steps outlined in the knowledge base article. We urge customers to make sure they only download the patch from our knowledge base and not from any third-party sites. 

Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running.   

For all customers on a current maintenance agreement, the upgrade can be accessed by logging into the Progress Community—https://community.progress.com/s/.  Customers that are not on a current maintenance agreement should contact the  Progress Renewals team or your Progress partner account representative.    

To confirm your current version of  WS_FTP Server please follow the instructions in this knowledge base article. 

To obtain the appropriate installer, please perform the following:

1. Log in to the Download Center at  https://community.progress.com/s/products-list using your Progress ID credentials

2. Select the appropriate Asset from the list  

3. Click the Download link under the Related Products & Downloads section  

4. Click [Download] next to the Fixed Version you would like to download (reference table below)