UPDATED 12:30pm ET on 10/4/2023
Progress Software is “disappointed” a researcher turned to social media to publish a proof-of-concept exploit of a critical flaw in its WS_FTP file transfer solution as quickly as they did. The PoC of one of the bugs was shared on social platform X by a user with the handle "MCKSys Argentina" on Sept. 29 and can be used to exploit the .NET deserialization vulnerability tracked as CVE-2023-40044.
Progress disclosed both bugs on Sept. 27 and issued patches for multiple WS_FTP flaws. The X post was also followed by research posted by Assetnote detailing the PoC it developed. The Assetnote post was independent of the research posted on X.
"Our coordinated disclosure policy works on a 90 day timeline where we will disclose via our website 90 days after we report to a vendor," Assetnote wrote in its PoC disclosure of CVE-2023-40044.
Reports of in-the-wild exploitation adds another headache to Progress as it continues to deal with the fallout from the significant breach of MOVEit, one of its other products.
Untangling a tangled timeline
Progress said in a Sept. 27 advisory it had issued patches for eight vulnerabilities — two of them critical — in its WS_FTP Server Ad Hoc Transfer Module and WS_FTP Server manager interface.
One of the critical flaws, is the .NET deserialization vulnerability in the Ad Hoc Transfer Module (CVE-2023-40044) and had the highest possible CVSS rating of 10. The other, a directory traversal vulnerability in WS_FTP Server versions prior to 8.74 and 8.8.2 (CVE-2023-42657) was rated 9.9.
Progress urged its customers to apply the patches it had issued, but said it was not aware of the vulnerabilities being exploited.
In a statement, which at the time did not name Assetnote, a Progress spokesperson said the company was “disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch.”
Progress has since reached out to SC Media and emphasized that its' disappointment is directed at the timeline of the PoC posted to X, and not by Assetnote's coordinate disclosure.
“This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch,” the spokesperson said.
“Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. … We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.”
Progress asserts the PoC posted to X was reverse engineered from the vulnerability disclosure and the company’s patch.
Assetnote said its seperate PoC was developed via its independent analysis and discovery of the flaw in the wild. On a CVE Program website, maintained by the MITRE Corporation, Assetnote researchers Shubham Shah and Sean Yeoh are credited for discovering CVE-2023-40044.
Vulnerability exploited in the wild
On Sept. 30, researchers at Rapid7 began observing the new bugs being exploited on several of its customers’ environments.
“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers, Rapid7 senior manager of vulnerability research Caitlin Condon wrote in a blog post.
“Additionally, our MDR team has observed the same Burpsuite domain used across all incidents, which may point to a single threat actor behind the activity we've seen,” she said.
PoC debate redux
The question of how soon PoCs should be released after a vulnerability is disclosed was raised earlier this year when threat actors were quick to abuse a published PoC for a Fortinet vulnerability.
At the time, Trustwave SpiderLabs vice president of security research Ziv Mador said while threat actors could take advantage of them, PoCs were a valuable tool for helping security teams harden systems against vulnerabilities.
Threat actors could also develop their own PoCs, while restricting access to researcher-developed versions could hinder security teams’ efforts to respond to exploitations, Mador said.
(Editor's Note: This article was updated 12:30pm ET 10/4/2023 to amplify the timelines of disclosure and to more specifically emphasize that Progress Software initial "disappointment" was not directed at Assetnote)