How to remediate – Wing FTP Server Detection

1. Introduction

Wing FTP Server Detection indicates an installation of Wing FTP Server on a remote host. This server provides file transfer services using FTP, FTPS and SFTP protocols. Its presence introduces potential risks associated with unpatched vulnerabilities in the software itself, and misconfigurations that could lead to unauthorised access. Confidentiality, integrity, and availability may be impacted if exploited.

2. Technical Explanation

The vulnerability lies in having an instance of Wing FTP Server installed on a system. While not a specific flaw in itself, it represents a potential attack surface. Attackers will scan for known versions to identify exploitable instances. Exploitation typically involves leveraging vulnerabilities within the server software or exploiting weak configurations. Preconditions include network connectivity to the server and knowledge of its version.

• Root cause: The presence of an FTP server application introduces a potential attack vector.
• Exploit mechanism: An attacker could attempt to exploit known vulnerabilities in Wing FTP Server, such as buffer overflows or authentication bypasses, depending on the installed version. For example, they might use a crafted FTP command to gain unauthorised access.
• Scope: Affected platforms are systems running Windows where Wing FTP Server is installed. Specific versions depend on the software lifecycle and patch status.

3. Detection and Assessment

Confirming the presence of Wing FTP Server can be done quickly through process listing or by checking for specific files. A thorough assessment involves identifying the version number.

• Quick checks: Use Task Manager to look for ‘WingFTPServer.exe’ in running processes.
• Scanning: Nessus plugin ID 16829 can detect Wing FTP Server installations. This is an example only, and results should be verified.
• Logs and evidence: Check the Windows Event Logs for events related to Wing FTP Server startup or errors. Look for entries with source ‘WingFTP’ if available.

tasklist | findstr "WingFTPServer.exe"

4. Solution / Remediation Steps

The primary solution is to remove the software if it isn’t required, or update to the latest version with security patches applied.

4.1 Preparation

• Ensure you have administrator privileges for the system. A roll back plan involves restoring from backup or re-installing the previous version if necessary.
• A change window may be needed to minimise disruption, and approval should be sought from IT management.

4.2 Implementation

1. Step 1: Stop the Wing FTP Server service using the Services application (services.msc).
2. Step 2: Uninstall Wing FTP Server through ‘Add or Remove Programs’ in Control Panel.
3. Step 3: Verify that all files and folders associated with Wing FTP Server have been removed from the file system.

4.3 Config or Code Example

This vulnerability does not involve a configuration change, but rather the removal of software.

Before

WingFTPServer.exe running in Task Manager

After

No WingFTPServer.exe process visible in Task Manager

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help mitigate risks associated with unnecessary software installations.

• Practice 1: Least privilege – limit user access rights to reduce the impact of a potential compromise.
• Practice 2: Patch cadence – Regularly review and apply security updates for all installed software, including FTP servers if they are required.

4.5 Automation (Optional)

PowerShell can be used to stop the service and uninstall the application.

# Stop the Wing FTP Server Service
Stop-Service -Name "WingFTP" -Force
# Uninstall Wing FTP Server
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Wing FTP Server*"} | Uninstall-Package -Force

5. Verification / Validation

Confirm the fix by verifying that the service is stopped and the application has been uninstalled.

• Post-fix check: Run ‘tasklist’ and confirm ‘WingFTPServer.exe’ is not listed.
• Re-test: Re-run the quick check from Section 3 to ensure the process is no longer running.
• Smoke test: If Wing FTP Server was used for a specific function, verify that alternative methods are available or functioning correctly.
• Monitoring: Check Windows Event Logs periodically for any unexpected events related to file transfer activity. This is an example only.

tasklist | findstr "WingFTPServer.exe" (should return no results)

6. Preventive Measures and Monitoring

Regular software inventory and vulnerability scanning can help prevent unnecessary software from being installed.

• Baselines: Update security baselines to include a list of approved applications only, preventing unauthorised installations.
• Pipelines: Implement application whitelisting or control policies in deployment pipelines to block the installation of unapproved software.
• Asset and patch process: Conduct regular asset inventories to identify unused or outdated software. Review and update security configurations on a defined schedule.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Disruption of file transfer services – ensure users have alternative methods for transferring files.

8. References and Resources

Links to official resources related to Wing FTP Server.

• Vendor advisory or bulletin: https://www.wftpserver.com/
• NVD or CVE entry: No specific CVEs are associated with the mere presence of Wing FTP Server, but individual versions may have vulnerabilities listed on NVD.
• Product or platform documentation relevant to the fix: https://www.wftpserver.com/documentation/