CVE-2023-40044 Scanner

WS_FTP Server is a commercial FTP server software used to securely transfer files between systems over the internet. It is widely employed across various industries that require reliable data exchange mechanisms, such as banking, healthcare, and government sectors. The software is known for providing strong authentication methods and robust data encryption. WS_FTP Server supports multiple file transfer protocols and allows seamless integration into enterprise-level IT infrastructures. It offers features like automated file operations and supports advanced features like SFTP, SCP2 over SSH, and FTPS over SSL. Organizations utilize WS_FTP Server to ensure secure data transactions while maintaining compliance with regulatory standards.

The deserialization vulnerability in WS_FTP Server could permit remote command execution due to insecure handling of serialized objects. Deserialization of untrusted data can allow attackers to manipulate serialized data to execute arbitrary code. This issue is particularly critical as it may lead to unauthorized operations on the server. Exploiting this kind of vulnerability does not require an attacker to authenticate, posing a significant risk. It is important to assess and remediate this vulnerability swiftly to mitigate potential security threats. The flaw is present in specific modules like the Ad Hoc Transfer, which can be targeted by an attacker to compromise the server environment.

Technically, the vulnerability resides in the Ad Hoc Transfer module, where a .NET deserialization method processes user input. When improperly managed, deserialization functions can be exploited to inject malicious constructs. Pre-authenticated attackers can misuse this vulnerability to leverage a malicious payload during the deserialization process. This payload can execute remote commands on the server, potentially leading to significant data breaches. Identification of this endpoint is crucial for pinpointing and addressing the threat, as the Ad Hoc Transfer module is susceptible due to its web-facing nature. Disabling this module or applying vendor patches can help mitigate the security risk.

If exploited, the vulnerability could allow attackers to gain control over the WS_FTP Server. This could result in unauthorized access to sensitive files and information, potentially leading to data leaks or data integrity loss. Malicious entities could execute arbitrary commands, affecting the overall functioning of the server. The breach could also enable lateral movement within the network, targeting other systems. User accounts and related data could be compromised, resulting in potential breaches of customer trust. It also opens avenues for installing backdoors, making the environment vulnerable to future attacks.

REFERENCES

• https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044
• https://censys.com/cve-2023-40044/
• https://www.progress.com/ws_ftp
• https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
• https://www.theregister.com/2023/10/02/ws_ftp_update/