Software company Progress has issued a warning about a critical vulnerability in their MOVEit Transfer product. The flaw, identified as CVE-2024-5806, could allow attackers to gain unauthorized access to sensitive information on MOVEit Transfer servers.
MOVEit Transfer is a file exchange application many organizations use to share confidential data internally. It essentially allows a Windows server to function like a network-attached storage (NAS) device, offering various methods for users to transfer and manage files, such as uploading via SFTP and sharing through HTTPS.
The newly disclosed vulnerability is classified as an “authentication bypass” issue. It enables an unauthenticated attacker to access the server by impersonating any user as long as they know the user’s name. On a scale of 1 to 10, the severity of this vulnerability is rated at 9.1, indicating its critical nature.
This isn’t the first time MOVEit Transfer has faced security challenges. Last year, a vulnerability in the software led to one of the largest ransomware attacks in history. That incident, involving the Clop ransomware group, resulted in data theft from nearly 2,800 organizations, affecting approximately 96 million people.
Security researchers at watchTowr Labs have released details about the current vulnerability after an embargo period. They noted that Progress had been working for weeks to inform customers about the need to patch the vulnerability and verify that the fixes had been applied.
watchTowr’s in-depth analysis revealed several critical points:
- The vulnerability allows an attacker to impersonate any user on the system, as long as they know a valid username.
- The flaw stems from an authentication bypass in the SFTP module of MOVEit Transfer.
- Exploitation involves manipulating the SSH public key authentication process. Instead of providing a valid public key, an attacker can specify a file path on the server.
- The researchers found a way to inject a malicious SSH public key into the server’s log files without requiring authentication.
- By exploiting this vulnerability, an attacker can access, modify, or delete sensitive files from any user on the system.
- The attack can be executed without prior access to the server or need to upload files directly.
- watchTowr Labs developed a proof-of-concept exploit demonstrating the full attack chain, from injecting the key into log files to accessing files as an arbitrary user.
The researchers noted that while Progress had been working to inform customers about patching, its description of the vulnerability as applicable to “limited scenarios” may have understated its severity.
The vulnerability affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. Progress strongly recommends that all MOVEit Transfer customers using these versions immediately upgrade to the latest patched version.
In addition to the main vulnerability, Progress has also identified a separate issue in a third-party component used in MOVEit Transfer:
A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability.
Progress
This newly disclosed third-party vulnerability potentially increases the risk if left unpatched. To mitigate this additional vulnerability, Progress advises customers to:
- Verify that public inbound RDP access to MOVEit Transfer servers is blocked
- Limit outbound access from MOVEit Transfer servers to only known trusted endpoints
Progress has stated that they will make a fix for the third-party vulnerability available to MOVEit Transfer customers once it’s released by the third-party vendor.
For MOVEit Cloud customers, Progress has already deployed the patch, and the cloud infrastructure is reportedly safeguarded against the recently disclosed third-party vulnerability through strict access controls.
While the situation is serious, it’s worth noting that Progress has been proactive in addressing the issue. They’ve been reaching out to customers for weeks to ensure patches are applied, and have made efforts to verify that this has been done.
However, if you’re using MOVEit Transfer and haven’t yet updated to the latest version, it’s crucial to do so as soon as possible. The patched versions are available for download from the Progress Community portal for customers with current maintenance agreements.
