CVE-2023-40044: WS_FTP Exploit In the Wild
Table of Contents
What is CVE-2023-40044?
CVE-2023-40044 is a critical vulnerability allowing attackers to perform Remote Code Execution. To take advantage of this vulnerability, an attacker sends a special POST request. Currently, malicious actors are actively leveraging this vulnerability in real-world attacks.
What is vulnerable, and how bad is it?
This CVE only affects the WS_FTP ad hoc module in IIS. The problem is that WS_FTP would generally be on the internet-facing web servers. An attacker only has to make a special POST request to the servers, and it would cause the Remote Code Execution.
Recommendations for Everyone
Please install the latest patch for WS_FTP.
Recommendations for ThreatLocker® Customers
Since the attack spawns from w3wp.exe, this could be stopped through ThreatLocker® Ringfencing™. ThreatLocker® Ringfencing™ can prevent any process, such as w3wp.exe, from interacting with PowerShell or the Windows Command Line. In addition, Ringfencing™ can stop a process from spawning additional processes. The video below shows an example of ThreatLocker® Ringfencing stopping WinRAR from generating a process. Although Ringfencing™ does not fix/patch the vulnerability, it does prevent the most common post-exploitation techniques a hacker would use.
Video Demonstration of ThreatLocker® Ringfencing™
0:00:04 – Open Real Time Unified Audit.
0:00:10 – Clicking on a file inside of a WinRAR ZIP that can exploit CVE-2023-38831.
0:00:12 – The Exploit and trying to spawn an additional process that is hidden inside the ZIP file.
0:00:16 – ThreatLocker® blocking the attempt to generate an additional process through Ringfencing™.