Progress Software has patched two critical vulnerabilities in one of its FTP products, WS_FTP, as part of a tranche of eight fixes released this week. The company is still reeling from the impact of a vulnerability in one of its other products, MOVEit Transfer, which has led to the biggest cyberattack of the year, and it will be hoping these new flaws are not exploited by criminals.
WS_FTP server, formerly known as WinSock FTP, is one of the internet’s oldest FTP services and is used globally to support millions of end users in transferring billions of files and petabytes of data, according to its website. The vulnerabilities patched this week affect all versions of the product and the company advises its customers to “update immediately”.
Two of the exploits listed in the update released on Wednesday have been given a critical severity rating. The most severe is CVE-2023-40044, which achieved the highest possible score of ten. This vulnerability could lead to arbitrary code execution, to “execute remote commands” through insecure serialised objects in the product’s software, giving control of the product and its system over to an attacker.
The second critical exploit has been tracked as CVE-2023-42657, received a severity score of 9.9 and could be used by attackers to delete or rename files on numerous victim assets.
The other six vulnerabilities range from severity ratings of 5.3 to 8.3 and could allow hackers to input malicious code into victim systems, execute malicious Javascript or alter and delete database elements, to name a few of the risks.
“Upgrading to a patched release, using the full installer, is the only way to remediate this issue,” Progress Software said.
More problems for Progress after MOVEit Transfer attacks
Progress is in the midst of dealing with the fallout from the attacks that have exploited a vulnerability in the MOVEit Transfer software, which is used by businesses to securely move files. Russian ransomware gang Cl0p discovered and has been exploiting the bug, and has so far obtained data from 2,000 businesses impacting 62 million people, according to security company Emsisoft. Researchers at another vendor, Coveware, believe the gang could make $75–100m from the campaign.
It is not a surprise the Cl0p could cash in given the profile of the companies involved. Business big names including British Airways, the BBC and Boots have all fallen victim to the vulnerability, with many of the companies suffering as a result of breaches as one of their suppliers.
Progress Software is facing several lawsuits as a consequence of the attacks. The company has been hit with legal action from organisations like the Bank of America, TD Ameritrade and Johns Hopkins University, as well as dozens of others.