<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2023-40044 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2023-40044/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2023-40044/feed.xml" rel="self" type="application/rss+xml"/><item><title>WS_FTP Remote Code Execution Vulnerability (CVE-2023-40044)</title><link>https://feed.craftedsignal.io/briefs/2024-01-wsftp-rce/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wsftp-rce/</guid><description>Exploitation attempts targeting CVE-2023-40044 in WS_FTP software can lead to remote code execution via crafted HTTP POST requests, potentially allowing attackers to gain unauthorized access and compromise the affected system.</description><content:encoded><![CDATA[<p>CVE-2023-40044 is a remote code execution vulnerability affecting WS_FTP Server. The vulnerability stems from insufficient validation of user-supplied input, allowing attackers to execute arbitrary code on the server. Exploit attempts typically involve sending a specially crafted HTTP POST request to the <code>/AHT/AhtApiService.asmx/AuthUser</code> endpoint. Publicly available Metasploit modules and Nuclei templates exist to exploit this vulnerability. Successful exploitation can lead to complete system compromise, including data exfiltration, installation of backdoors, and lateral movement within the network. Defenders should prioritize patching vulnerable WS_FTP servers and implementing detection mechanisms to identify and block exploitation attempts. The Metasploit module is focused on hitting the /AHT/ endpoint, not the full /AHT/AhtApiService.asmx/AuthUser URL, which can be used for tuning detection rules.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable WS_FTP server exposed to the internet.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the <code>/AHT/AhtApiService.asmx/AuthUser</code> endpoint.</li>
<li>The POST request contains a payload designed to exploit CVE-2023-40044 and execute arbitrary code.</li>
<li>The vulnerable WS_FTP server processes the malicious POST request without proper validation.</li>
<li>The attacker's payload is executed, allowing the attacker to gain a shell on the server.</li>
<li>The attacker leverages the shell to perform reconnaissance, identify sensitive data, and escalate privileges.</li>
<li>The attacker installs a backdoor for persistent access.</li>
<li>The attacker exfiltrates sensitive data or deploys ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2023-40044 can lead to complete compromise of the WS_FTP server. This can result in data breaches, financial loss, reputational damage, and disruption of services. The number of victims and sectors targeted is currently unknown, but given the widespread use of WS_FTP Server, the potential impact is significant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the latest patch for WS_FTP Server to address CVE-2023-40044 immediately.</li>
<li>Deploy the Sigma rule <code>Detect WS_FTP CVE-2023-40044 Exploitation Attempt</code> to your SIEM to identify malicious HTTP POST requests targeting the vulnerable endpoint.</li>
<li>Inspect web server logs for POST requests to <code>/AHT/AhtApiService.asmx/AuthUser</code> with a 200 status code originating from untrusted sources.</li>
<li>Monitor network traffic for suspicious outbound connections originating from WS_FTP servers.</li>
<li>Review and harden the configuration of your WS_FTP server, following security best practices.</li>
<li>Implement a web application firewall (WAF) rule to block known CVE-2023-40044 exploitation patterns.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>ws_ftp</category><category>rce</category><category>cve-2023-40044</category><category>webserver</category></item></channel></rss>