Enterprise expertise vendor Progress Software program on Thursday shipped patches for critical-level security flaws in its WS_FTP file switch software program, warning {that a} pre-authenticated attacker may wreak havoc on the underlying working system.
An pressing bulletin from the Burlington, Mass. firm documented at the least eight security defects that might be exploited remotely and urged enterprise prospects to right away improve to WS_FTP Server 2020.0.4 (8.7.4) and WS_FTP Server 2022.0.2 (8.8.2).
Progress Software program stated two of the vulnerabilities — CVE-2023-40044 and CVE-2023-40045 — are rated important due to the danger of pre-auth distant command execution assaults.
From the Progress Software program bulletin:
- CVE-2023-40044 — In WS_FTP Server variations prior to eight.7.4 and eight.8.2, a pre-authenticated attacker may leverage a .NET deserialization vulnerability within the Advert Hoc Switch module to execute distant instructions on the underlying WS_FTP Server working system. Important — CVSS: 10/10.
- CVE-2023-42657 — In WS_FTP Server variations prior to eight.7.4 and eight.8.2, a listing traversal vulnerability was found. An attacker may leverage this vulnerability to carry out file operations (delete, rename, rmdir, mkdir) on information and folders outdoors of their approved WS_FTP folder path. Attackers may additionally escape the context of the WS_FTP Server file construction and carry out the identical degree of operations (delete, rename, rmdir, mkdir) on file and folder areas on the underlying working system. Important — CVSS: 9.9/10.
The corporate additionally known as consideration to a trio of high-severity bugs that would result in mirrored cross-site scripting (XSS) and SQL injection assaults.
Progress Software program’s security response group has discovered itself scrambling to reply to a wave of debilitating ransomware assaults that exploited zero-day flaws in its MOVEit managed file switch software program produyt.
Earlier this 12 months, the corporate rushed out patches to cowl at the least three important vulnerabilities and introduced plans to launch common service packs with a “predictable, easy and clear course of for product and security fixes.”
“We’ve heard from you {that a} common cadence and predictable timeline will allow you to raised plan your sources and make it simpler to undertake new product updates and fixes. As part of these Service Packs, we will even be optimizing the set up course of to make the improve course of easier,” Progress stated in a notice posted with the primary service pack.
Software program distributors sometimes use a service pack to ship a group of updates, fixes, options or enhancements to an utility. Service packs are delivered within the type of a single installable package deal.