Progress Software, the makers of the widely exploited document transfer solution MOVEit, has issued urgent security patches for its WS_FTP product. Eight vulnerabilities were discovered, affecting the software's ad-hoc transfer module and WS_FTP's server management interface.
These vulnerabilities have CVSS severity scores ranging between 5.3 and 10. CVSS stands for Common Vulnerability Scoring System, which is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS scores are mapped to different severity ratings: None: 0.0, Low: 0.1 – 3.9, Medium: 4.0 – 6.9, High: 7.0 – 8.9, and Critical: 9.0 – 10.0.
Versions prior to 8.7.4 and 8.8.2 of WS_FTP Server are vulnerable to .NET deserialization attacks. If successfully exploited, these vulnerabilities could allow an attacker to execute commands on the host system. Prominent clients like Scientific American, H&M, and The Denver Broncos American football team are advised to update their installations to minimize risks.
Pôle emploi, the French governmental agency responsible for unemployment registration and financial aid, reported a data breach leading from the MOVEit vulnerability. The agency stated, “Pôle emploi became aware of the violation of the information system of one of its providers involving a risk of disclosure of personal data of job seekers.” Those registered in February 2022, as well as former users of the job center, are potentially affected by this data theft.
Other Tech Giants Release Security Updates
Simultaneously with Progress Software, several tech giants also issued security updates this week due to newfound vulnerabilities. Exim, widely used open-source mail server, released public details of six flaws, three of which remain unpatched. The two most severe issues allowing full remote code execution. Cisco's Group Encrypted Transport VPN feature in IOS had a remote code execution bug exploited in the wild, forcing them to release patches urgently. Apple and Google corrected vulnerabilities with patches for Safari 17 and macOS Sonoma from Apple, and Chrome's fifth zero-day vulnerability of 2023 from Google.