There has been several attacks on major MFT solutions recently with vulnerabilities exploited to exfiltrate or encrypt data for ransom. This article describes the various MFT solutions targeted by ransomware group Clop. It also describes a recent example affecting WS-FTP: CVE-2023-40044. In this article, we will dig deeper in this vulnerability.
Introduction
In the realm of digital security, the secure transfer of files and sensitive data holds utmost importance for enterprises. As organizations rely on file transfer solutions to facilitate seamless data exchange, the discovery of critical vulnerabilities within these solutions has become a pressing concern. In the past year, threat intelligence organizations have been actively warning about the exploitation of such vulnerabilities in the wild.
Among these concerns lies CVE-2023-40044, a significant vulnerability affecting WS_FTP, a managed file transfer solution. This vulnerability poses a severe risk, particularly impacting WS_FTP’s Ad Hoc Transfer module, allowing remote code execution due to an unsafe deserialization flaw.
In this article, we will delve into the intricacies of CVE-2023-40044, uncover its implications, and introduce S-Filer as a robust and secure alternative solution.
The CVE-2023-40044 Vulnerability
The CVE-2023-40044 vulnerability in WS_FTP is a critical security issue that demands immediate attention if you are using versions prior to 8.7.4 and 8.8.2. This vulnerability arises from unsafe deserialization, a common weakness found in software applications that handle serialized data. It specifically impacts the Ad Hoc Transfer (AHT) module in WS_FTP Server, which handles user file uploads.
The vulnerability is rooted in the insecure implementation of an IIS HTTP module for AHT. IIS HTTP modules are executed on every request received by AHT. As a result, it can be difficult for WAFs or defenders to identify a malicious request only based on the URL path. Furthermore, no authentication checks are present on this functionality and as such, makes this exploitable by an unauthenticated attacker.
During the processing of a file upload request, the IIS HTTP module “MyFileUpload.UploadModule” will provide the attacker-controlled content of the request into ASP.NET BinaryFormatter’s Deserialize function which is known to be vulnerable by design when used with untrusted data. (Ref: https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide#binaryformatter-security-vulnerabilities)
By leveraging the deserialization sink, an attacker can execute malicious code within the WS_FTP environment. This opens the door to unauthorized access, data breaches, and the compromise of critical systems. The implications of this vulnerability are severe, highlighting the urgent need for remediation.
To address the CVE-2023-40044 vulnerability, the WS_FTP vendor has released versions 8.7.4 and 8.8.2. It is vital for organizations using WS_FTP’s Ad Hoc Transfer module to ensure they are using one of these patched versions to protect their instances effectively.
Introducing S-Filer as a Secure Alternative Solution
OKIOK’s S-Filer/Portal is an alternative secure MFT solution. It uses an entirely different technology stack so it is not vulnerable to the CVE mentioned above. However, no solution can claim that they are invulnerable and we certainly don’t claim this for our solution. In 2016, a critical Struts2 vulnerability affected S-Filer/Portal instances. Within 24h after the vulnerability was disclosed, OKIOK provided a patched version and notified all of its on-prem customers of the vulnerability and of the urgency to patch. We mobilized the entire team and offered free upgrade assistance for our clients to address the issue as quickly as possible.
Since then, OKIOK has started offering S-Filer/Portal as a SaaS offering hosted from tenants dedicated to each client. For these SaaS instances, OKIOK performs regular and emergency patching as well as security monitoring using its “Managed Detection and Response” (MDR) service. It also implements strict access controls, MFA, access reviews and many other security controls. All of these controls are audited annually by an independent auditor as part of our ISO 27001 certification. At OKIOK, we take security seriously and it keeps us awake at night so you can rest assured that your data is well protected.
