(Author: Harsh Waghela)
Progress Software has issued urgent patches for its secure FTP server software, prompting customers to swiftly install them. This follows a recent incident where hackers exploited a vulnerability in the widely used MOVEit file transfer software, affecting millions of people worldwide.
This specific bug enables attackers to gain remote access to the system using a technique called "Deserialization." To understand Deserialization better, consider it as converting complex data or objects into a format for easy storage or transmission, much like turning a LEGO structure into a blueprint and vice versa, using that blueprint to reconstruct the original data or object. In the case of this vulnerability, an attacker can inject malicious code into serialized data. If the application fails to validate it properly, the code can execute on the target system.
Another critical CVE reported is the directory traversal vulnerability. In computer systems, this is a tactic used by hackers to bypass standard file access rules by navigating to different directories, potentially accessing unauthorized files or data. This breach poses a threat to an organization's data integrity and confidentiality.
Customers using affected versions of WS_FTP Server should immediately install the emergency patches. The severity of CVE-2023-40044 is emphasized, and all users, even those not directly running WS_FTP, are encouraged to ensure that third-party dependencies, such as those used for payroll, are also patched.
Preventing Directory Traversal Vulnerability:
Implement Input Validation
Utilize whitelists to specify and permit only authorized directory paths. This restricts file operations to predefined paths, preventing unauthorized access.
Encode User Input
Apply the Principle of Least Privilege
Regularly conduct security audits and code reviews to identify and rectify potential vulnerabilities, including those related to directory traversal.
Preventing Deserialization Attacks:
Select deserialization libraries or frameworks that incorporate built-in security features to mitigate common vulnerabilities. Libraries with proper input validation can thwart the exploitation of malicious data.
Implement digital signatures to verify the integrity of serialized data during transport or storage, ensuring it hasn't been tampered with.
Whitelist the classes eligible for deserialization, allowing only those necessary for the application's functionality.
Validate and sanitize deserialized data before using it.
Utilize security headers in web applications to mitigate attacks like Cross-Site Scripting (XSS), which could inject malicious serialized data.
Keep software regularly updated.
Reference -
Comments