Engineering
What is a floating point number, and why do they suck
All versions of Progress Software’s WS_FTP Server are affected by two critical vulnerabilities. These vulnerabilities allow for arbitrary code execution and file traversal on the server. Proof-of-concept exploits have been publicly released, which shows that adversaries could gain access to and control the server. This could potentially lead to further exploitation of connected systems.
Security updates are available for supported WS_FTP servers.
NOTE: Following their initial advisory, on 3rd October 2023 Progress Software changed the update for WS_FTP Server 2022 from version 8.8.2 to version 8.8.3. This is an evolving situation and you should continue to monitor the advisory for any further changes.
Progress Software posted a security advisory on 27th September 2023 detailing two critical vulnerabilities in the WS_FTP software package.
All supported versions are affected, but patches are available and should be applied immediately.
The critical deserialisation and file traversal vulnerabilities allow an attacker to execute arbitrary code and perform file changes on the server with the potential for onward exploitation of connected systems.
The same advisory also lists three high scoring vulnerabilities: Two cross-site scripting vulnerabilities enable an attacker to execute code in a victim’s browser including the WS_FTP admin’s browser. In addition, a SQL injection enables an attacker to gain information about and change the WS_FTP database.
Independent reports from Rapid7 and Huntress suggest exploitation of these vulnerabilities is being observed and indicators of compromise are provided in their reports.
The threat is applicable to any organisations that make use of the Progress WS_FTP product, which includes both blue chip enterprises and smaller businesses globally. There is a particularly high concentration of affected organisations within the United States, but the product is used worldwide according to a search on Censys.
It is important to understand the extent to which your supply chain is affected by this threat, particularly the potential impact from third parties that may use the Progress WS_FTP product to transfer files to and from their customers.
Given the verified threat of unauthorised access to files and opportunities for data exfiltration, any business files held by other organisations within the supply chain may be at risk of being breached, resulting in the loss of confidential information. In addition, there is the potential for an attacker to move onward into connected systems for further malicious objectives.
There are immediate actions you should take to protect yourself from this threat.
If you use WS_FTP in your environments:
This is an evolving situation and further action may be necessary. You can keep up to date with the latest information on this threat by following:
To understand how your supply chain is affected by the WS_FTP vulnerabilities, create your free account on Risk Ledger. You can find out more about how the Emerging Threats feature on Risk Ledger works here.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
