Progress Software Disappointed Researchers Published PoC Of Newly Patched Bug

UPDATED 7:40pm ET on 10/3/2023

Progress Software is “disappointed” researchers who found a bug in its WS_FTP file transfer solution moved quickly to share the proof-of-concept (PoC) that can be used to exploit the vulnerability.

Three days after the vendor disclosed and issued patches for multiple WS_FTP bugs last week, researchers at Assetnote published a research note detailing the PoC they developed after discovering the vulnerability.

In-the-wild exploitation of the bug was not reported until after Assetnote shared its PoC, giving Progress another headache as it continues to deal with the fallout from the significant breach of MOVEit, one of its other products.

Progress said in a Sept. 27 advisory it had issued patches for eight vulnerabilities — two of them critical — in its WS_FTP Server Ad Hoc Transfer Module and WS_FTP Server manager interface.

One of the critical flaws, a .NET deserialization vulnerability in the Ad Hoc Transfer Module (CVE-2023-40044) had the highest possible CVSS rating of 10. The other, a directory traversal vulnerability in WS_FTP Server versions prior to 8.74 and 8.8.2 (CVE-2023-42657) was rated 9.9.

Progress urged its customers to apply the patches it had issued, but said it was not aware of the vulnerabilities being exploited.

Editors Note: After publication of this report Progress Software emailed a statement to SC Media. The statement follows:

We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch.  We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers.  We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.

The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.

On Sept. 30, Assetnote published its PoC, saying: “This vulnerability turned out to be relatively straight forward and represented a typical .NET deserialization issue that led to RCE (remote code execution). It’s surprising that this bug has stayed alive for so long, with the vendor stating that most versions of WS_FTP are vulnerable.”

Also on Sept. 30, researchers at Rapid7 began observing the new bugs being exploited on several of its customers’ environments.

“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers, Rapid7 senior manager of vulnerability research Caitlin Condon wrote in a blog post.

“Additionally, our MDR team has observed the same Burpsuite domain used across all incidents, which may point to a single threat actor behind the activity we’ve seen,” she said.

In a statement, which did not name Assetnote, a Progress spokesperson said the company was “disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch.”

“This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch,” the spokesperson said.

“Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. … We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.”

Progress’s claim the PoC was reverse engineered from the vulnerability disclosure and the company’s patch is at odds with Assetnote’s account of discovering the flaw, and the credit given to Assetnote researchers for reporting CVE-2023-40044.

The question of how soon PoCs should be released after a vulnerability is disclosed was raised earlier this year when threat actors were quick to abuse a published PoC for a Fortinet vulnerability.

At the time, Trustwave SpiderLabs vice president of security research Ziv Mador said while threat actors could take advantage of them, PoCs were a valuable tool for helping security teams harden systems against vulnerabilities.

Threat actors could also develop their own PoCs, while restricting access to researcher-developed versions could hinder security teams’ efforts to respond to exploitations, Mador said.

Assetnote is yet to respond to Progress’s criticism, but in the post detailing the PoC it said: “We continue to perform original security research in an effort to inform our customers about zero-day vulnerabilities in their attack surface.”

READ MORE HERE