Progress Software has hit out after a security researcher released a proof-of-concept (POC) exploit for a critical new vulnerability in its WS-FTP file transfer software days after it pushed a patch – highlighting afresh the debate around the merits/risks of early exploit disclosure.
Users of the company’s MOVEit file transfer software suffered mass exploitation this summer, when criminals abused CVE-2023-34362 to hit more than 2,100 organisations – impacting over 62 million people.
Progress’s WS-FTP file transfer software is now also being exploited in the wild, after POCs were published for a CVSS 10 bug allocated CVE-2023-40044 that it had released a patch for on September 27. (Rapid7 has some details on the process execution chain here…)
That vulnerability had been identified and disclosed by Assetnote, which takes a 30 to 90 day disclosure approach (more below.) But shortly after the patch was released a security researcher posted a POC on X; Assetnote then also published a detailed blog, revealing that it could be exploited with a single HTTPS POST request and a free widget.
POC disclosure: A them and us mentality prevails
A Progress spokesperson told The Stack this week by email: "We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch. We are not aware of any evidence that these vulnerabilities were being exploited prior to that release.
“Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.”
Assetnote co-founder Shubham Shah told The Stack: “Our coordinated disclosure policy works on a 90 day timeline where we will disclose via our website 90 days after we report to a vendor. If a patch is released prior to that time our general policy is to allow 30 days before disclosure to allow for patch uptake however if an exploit or PoC is publicly released independently within that timeline we will publish.
“In this case there was an independent researcher on Twitter/X that publicly disclosed a PoC after the patch was released so we published our research” he said, reflecting that balancing the level of information that advisories give away (i.e. to emphasise the severity or to share details in mitigation whilst avoiding arming offensive actors) is tricky.
Yet Progress’s view that the POC “provided threat actors a roadmap on how to exploit the vulnerabilities” will be controversial with some.
Well-armed and resourced cybercriminal gangs typically reverse-engineer critical patches to identify exploit paths swiftly (often within hours, even for less “prime target” SAP applications, which are weaponised within 72 hours of a patch release; other software exploits can be faster) and many security researchers take the view that they are doing the lord’s own work by sharing more information about a vulnerability that may enable end users to prioritise patching or identify attack paths more easily.
Their view, typically, is that vendors should focus more on securing their software (Progress’s MOVEit flaw involved vanilla SQL injection; the WS-FTP bug is the result of some poor coding choices and Assetnote successfully achieved Remote Command Execution through insecure deserialization, without authentication “after about a day of auditing the source code”) rather than shooting the messenger.
Many white hats are also more proactive than vendors about personal outreach to exposed customers – although whether potential victims are more mindful of official vendor advisories or random outreach from security researchers may depend on the security team in question.
Progress Software meanwhile appears, since the disclosure, to have pulled down a free trial software download page that had let the security researcher in question easily reverse engineer the patch.
“Your work and the availability of the software for trial allowed us to contact most of the critical installs 24h later. I guess it'll be only threat actors using the exploits without knowledge for the next one” one critic of that move, the LeakIX vulnerability project lamented on X.
Progress Software meanwhile faces a flurry of class action lawsuits over the MOVEit breaches, with law firm Hagens Berman filing its latest class-action lawsuit against Progress Software on August 15, 2023.