Vulns Discovered In One other Progress Software program File Switch App – Supply: www.govinfosecurity.com

Governance & Risk Management
,
Patch Management

‘There’s a 10-out-10 severity bug you want to patch proper now!’

Prajeet Nair (@prajeetspeaks) •
September 29, 2023

Progress Software has again sent customers on a scramble to hurriedly install emergency patches, this time for its secure FTP server software. A Wednesday patch advisory comes just months after hackers took advantage of a zero day in the Massachusetts company’s popular MOVEit file transfer software in a hack affecting tens of millions of individuals across the globe.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

The advisory says all variations of the WS_FTP Server are affected by a set of eight newly-disclosed flaws and tells prospects of no-longer supported variations to improve. The corporate says that ” 1000’s of IT groups” rely on its file switch protocol software.

Essentially the most extreme bug, tracked as CVE-2023-40044permits an unauthenticated attacker to execute distant instructions on the underlying working system by way of an assault that converts a hypertext switch protocol message right into a malicious object, a way often known as deserialization. The corporate assigns the vulnerability a CVSS rating of 10, the utmost potential.

“There’s a 10-out-10 severity bug you need to patch right now!” tweeted Sophos’s Paul Ducklin. “Even if you aren’t running WS_FTP yourself, but you have a third party who does, e.g. for payroll, check that they’ve patched… remember MoveIT?”

Progress Software program credit Assetnote for the invention, an Australian cybersecurity agency that said it’s going to disclose extra data a month from now “or if details of the exploit are publicly released.” Massachusetts cybersecurity agency Rapid7 says it examined the vulnerabilities however “is not aware of any exploitation in the wild as of September 29, 2023.”

“The vulnerability is trivially exploitable and allows an unauthenticated attacker to achieve remote code execution on the target system,” Caitlin Condon, Rapid7 head of vulnerability analysis, instructed Data Safety Media Group.

The bundle of emergency patches additionally features a second essential bug, tracked as CVE-2023-42657which carries a CVSS rating of 9.9. The flaw is a directory traversal vulnerability that permits attackers to carry out file operations resembling deletion outdoors their approved folder path or on recordsdata within the underlying working system.

The advisory additionally fastened three flaws rated as excessive. CVE-2023-40045 impacts WS_FTP Server’s Advert Hoc Switch module; CVE-2023-40046 impacts WS_FTP Server supervisor interface; and CVE-2023-40047 impacts WS_FTP Server’s Administration module.

Progress Software program continues to be coping with the aftermath of a mass hacking marketing campaign of its merchandise that started on Might 27 when the Russian-speaking Clop ransomware operation exploited a zero-day vulnerability in MOVEit. Consultants tracking the information theft marketing campaign now say greater than 2,000 organizations immediately or not directly fell sufferer.

The assault doesn’t seem to have impacted the publicly-traded firm financially, CEO Yogesh Gupta stated Tuesday throughout an earnings name, reported Cybersecurity Dive. A quarterly report filed with federal regulators in July stated that MOVEit merchandise accounted for less than roughly 4 p.c of firm income through the first half of this yr.

With reporting by Data Safety Media Group’s David Perera in Washington, D.C.