All versions of Progress Software’s WS_FTP Server are affected by two critical vulnerabilities. These vulnerabilities allow for arbitrary code execution and file traversal on the server. Proof-of-concept exploits have been publicly released, which shows that adversaries could gain access to and control the server. This could potentially lead to further exploitation of connected systems.
Security updates are available for supported WS_FTP servers.
NOTE: Following their initial advisory, on 3rd October 2023 Progress Software changed the update for WS_FTP Server 2022 from version 8.8.2 to version 8.8.3. This is an evolving situation and you should continue to monitor the advisory for any further changes.
Progress Software posted a security advisory on 27th September 2023 detailing two critical vulnerabilities in the WS_FTP software package.
All supported versions are affected, but patches are available and should be applied immediately.
The critical deserialisation and file traversal vulnerabilities allow an attacker to execute arbitrary code and perform file changes on the server with the potential for onward exploitation of connected systems.
The same advisory also lists three high scoring vulnerabilities: Two cross-site scripting vulnerabilities enable an attacker to execute code in a victim’s browser including the WS_FTP admin’s browser. In addition, a SQL injection enables an attacker to gain information about and change the WS_FTP database.
Independent reports from Rapid7 and Huntress suggest exploitation of these vulnerabilities is being observed and indicators of compromise are provided in their reports.
The threat is applicable to any organisations that make use of the Progress WS_FTP product, which includes both blue chip enterprises and smaller businesses globally. There is a particularly high concentration of affected organisations within the United States, but the product is used worldwide according to a search on Censys.
Relevance to the Supply Chain
It is important to understand the extent to which your supply chain is affected by this threat, particularly the potential impact from third parties that may use the Progress WS_FTP product to transfer files to and from their customers.
Given the verified threat of unauthorised access to files and opportunities for data exfiltration, any business files held by other organisations within the supply chain may be at risk of being breached, resulting in the loss of confidential information. In addition, there is the potential for an attacker to move onward into connected systems for further malicious objectives.
What should you do about it
There are immediate actions you should take to protect yourself from this threat.
If you use WS_FTP in your environments:
- Identify which versions of the WS_FTP product your organisation uses as advised by Progress Software here.
- Immediately deny all HTTP and HTTPS traffic to your WS_FTP product environments until the patch is applied.
- Look for signs of exploitation by following Progress Software’s instructions here.
- An initial list of known Indicators of Compromise (IoC) can be found in the Huntress and Rapid7 technical analyses referenced below.
- If any IoCs are found, follow your Incident Response policies.
- Apply the relevant patches for your software version found here.
- Re-enable HTTP and HTTPS traffic after verifying there are no further indicators of compromise.
- Understand to what extent your suppliers or partners are affected, and support them through actions 1 to 5. Suppliers can self-report their status by logging into Risk Ledger.
Where to find more information
This is an evolving situation and further action may be necessary. You can keep up to date with the latest information on this threat by following:
To understand how your supply chain is affected by the WS_FTP vulnerabilities, create your free account on Risk Ledger. You can find out more about how the Emerging Threats feature on Risk Ledger works here.