CVE-2023-40051: Critical Progress OpenEdge Vulnerability Threatens Server Security

A critical vulnerability, identified as CVE-2023-40051 and rated with a CVSS score of 9.1, has been spotlighted within several iterations of the Progress Application Server for OpenEdge (PASOE).

CVE-2023-40051 manifests itself across multiple versions of OpenEdge, specifically in versions 11.7 before 11.7.18, 12.2 prior to 12.2.13, and innovation releases before 12.8.0. At its core, the vulnerability stems from an oversight in the WEB transport mechanism of PASOE, which inherently supports file uploads across all web handlers. Astonishingly, this includes the built-in handlers, which are integral to the software’s operation.

Under normal circumstances, the capability for file upload is intended to be disabled by default, as indicated by the blank “fileUploadDirectory” property in the openedge.properties file. However, this default setting inadvertently leaves the door ajar, granting access to all directories for the user account that initiated the PASOE instance. This oversight becomes a glaring vulnerability if these directories possess write permissions, laying the groundwork for a malicious entity to execute a file upload attack on the system—Linux or the root drive on Windows systems.

An attacker can formulate a request for a web transport that allows unintended file uploads to a server directory path on the system running PASOE,” the advisory states.

An attacker, armed with the knowledge of this flaw, could craft a request for the WEB transport that permits unintended file uploads to a server directory path on the affected system. Should the uploaded file contain a payload capable of further exploiting the server or its network, the seeds for a larger-scale attack are sown, threatening the integrity and confidentiality of the impacted systems.

If the upload contains a payload that can further exploit the server or its network, the launch of a larger scale attack may be possible.”

Progress Software has rolled out updates in OpenEdge versions 11.7.18, 12.2.13, and 12.8.0 in response to this vulnerability. For those unable to apply these updates immediately, a temporary bulwark can be erected by setting the “fileUploadDirectory” property in the openedge.properties file to a non-existent directory and restarting the instance.

“While we have not seen any evidence that this vulnerability has been exploited at this time, we are encouraging customers to apply the patch as soon as possible,” a Progress spokesperson stated.