Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS_FTP Server software.
The company says thousands of IT teams worldwide use its enterprise-grade WS_FTP Server secure file transfer software.
In an advisory published on Wednesday, Progress disclosed multiple vulnerabilities impacting the software’s manager interface and Ad hoc Transfer Module.
Out of all WS_FTP Server security flaws patched this week, two of them were rated as critical, with the one tracked as CVE-2023-40044 receiving a maximum 10/10 severity rating and allowing unauthenticated attackers to execute remote commands after successful exploitation of a .NET deserialization vulnerability in the Ad Hoc Transfer module.
The other critical bug (CVE-2023-42657) is a directory traversal vulnerability that enables attackers to perform file operations outside the authorized WS_FTP folder path.
“Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system,” Progress said.
According to the company’s CVSS:3.1 rating for both vulnerabilities, attackers can exploit them in low-complexity attacks that don’t require user interaction.
“We have addressed the vulnerabilities above and the Progress WS_FTP team strongly recommends performing an upgrade,” Progress warned.
“We do recommend upgrading to the most highest version which is 8.8.2. Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running.”
The company also shared information on how to remove or disable the vulnerable WS_FTP Server Ad Hoc Transfer Module if it’s not being used.
2,100 successful MOVEit data theft attacks and counting
Progress is still grappling with the aftermath of an extensive series of data theft attacks following the exploitation of a zero-day in the MOVEit Transfer secure file transfer platform by the Clop ransomware gang starting May 27.
As per estimates shared by security firm Emsisoft on Monday, the fallout of these attacks has affected more than 2,100 organizations and over 62 million individuals.
Despite the broad scope and the large number of victims, Coveware’s estimates suggest that only a a limited number are likely to succumb to Clop’s ransom demands. Nevertheless, the cybercriminal group is anticipated to collect an estimated $75-100 million in payments because of their high ransom demands.
Furthermore, reports have also surfaced indicating that multiple U.S. federal agencies and two entities under the U.S. Department of Energy (DOE) have fallen victim to Clop’s data theft attacks.
Clop has been linked to multiple high-impact data theft and extortion campaigns targeting other managed file transfer platforms, including Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, and the mass exploitation of a GoAnywhere MFT zero-day in January 2023.
On Tuesday, Progress Software reported a 16% year-over-year revenue increase for its fiscal third quarter that ended on August 31, 2023, in an 8-K form filed with the U.S. Securities and Exchange Commission.
Progress excluded “certain expenses resulting from the zero-day MOVEit Vulnerability” from the report as it intends “to provide additional details regarding the MOVEit Vulnerability in our Form 10-Q for the quarter ended August 31, 2023.”