A remote code execution (RCE) vulnerability in a popular file transfer application is being actively exploited, with the United States Critical Infrastructure Security Agency (CISA) telling American government entities to remediate the flaw.
The application, Wing FTP Server, is used in Australia and New Zealand as well, and CISA is advising all organisations to update their installations to handle the serious vulnerability.
Discovered by researcher Julien Ahrens of RCE Security on June 30, the flaw allows attackers to inject Lua code, which can lead to full server compromise.
Lua is a popular programming language, commonly used in embedded applications.
“In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle ‘�’ bytes, ultimately allowing injection of arbitrary Lua code into user session files.
“This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
“This is thus a remote code execution vulnerability that guarantees a total server compromise. [It] is also exploitable via anonymous FTP accounts,” the CVE record states.
CISA has scored the critical vulnerability as a maximum 10 out of 10 possible.
[embedded content]
Threat researcher at security vendor Huntress running an exploitation proof-of-concept on a vulnerable Wing FTP Server.
Security vendor Huntress said it saw the vulnerability exploited just a day after details of the flaw were published.
Licensed on a shareware, try-before-you-buy basis, Wing FTP counts the US Air Force, airplane maker Airbus, fashion house Sephora, Reuters and electronics giant Sony among its customers.
The not-for-profit ShadowServer Foundation scanned the internet for Wing FTP Server instances in Oceania, and found 24 on Australian networks, and one in New Zealand.
Testing to see if the servers found are vulnerable was not done by the Shadow Foundation.
Otherwise, the countries with the most Wing FTP Servers are the United States, China, Germany, and the UK.
Server intelligence company Censys, meanwhile, found over 5000 potentially vulnerable Wing FTP Servers, with their web interfaces exposed to the internet.
Updating Wing FTP Server to 7.4.4 or newer handles the server compromise vulnerability, but Ahrens noted that it doesn’t fix the software being granted overly permissive rights, running as root/SYSTEM by default bug.
Securing file transfers over the internet is difficult, with several recent security incidents taking place.
