Progress Software, the company behind the MOVEit Transfer file-sharing platform, has issued a warning to its customers about a severe vulnerability in its WS_FTP Server software. This software is used by thousands of IT teams around the world for secure file transfer.
In a recent advisory, the company revealed several vulnerabilities affecting the software's manager interface and Ad hoc Transfer Module. Among the security flaws patched this week, two were rated critical. The first, tracked as CVE-2023-40044, received the highest severity rating of 10/10. This flaw could allow unauthenticated attackers to execute remote commands after successfully exploiting a .NET deserialization vulnerability in the Ad Hoc Transfer module.
The second critical bug, CVE-2023-42657, is a directory traversal vulnerability that could enable attackers to perform file operations outside the authorized WS_FTP folder path. In Progress's own words, 'Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.'
According to the company's CVSS:3.1 rating for both vulnerabilities, they can be exploited in low-complexity attacks that don't require user interaction. Progress has urged its users to upgrade to the latest version of the software, 8.8.2, to mitigate these vulnerabilities. The company also provided guidance on how to remove or disable the vulnerable WS_FTP Server Ad Hoc Transfer Module if it's not being used.
Progress is still dealing with the fallout of a series of data theft attacks that began in May, following the exploitation of a zero-day vulnerability in the MOVEit Transfer platform by the Clop ransomware gang. Security firm Emsisoft estimates that these attacks have impacted more than 2,100 organizations and over 62 million individuals. Despite the wide reach of these attacks, only a limited number of victims are expected to pay Clop's ransom demands. However, the group is still expected to net an estimated $75-100 million due to their high ransom demands.
In addition to these attacks, there are reports that multiple U.S. federal agencies and two entities under the U.S. Department of Energy (DOE) have been targeted by Clop's data theft attacks. Clop has been linked to several other high-profile data theft and extortion campaigns targeting managed file transfer platforms, including the 2021 SolarWinds Serv-U Managed File Transfer attacks and the mass exploitation of a GoAnywhere MFT zero-day in January 2023.
Despite these challenges, Progress Software reported a 16% year-over-year revenue increase for its fiscal third quarter that ended on August 31, 2023. The company has excluded 'certain expenses resulting from the zero-day MOVEit Vulnerability' from the report, with plans to provide more details in the Form 10-Q for the quarter ended August 31, 2023.