Summary:
A vulnerability in Progress Software’s MOVEit Transfer platform, CVE-2024-5806, allows attackers to authenticate as any valid user, gaining corresponding privileges. This vulnerability which has a CVSS score of 9.1 is actively being exploited just hours after its public disclosure. MOVEit Transfer, an application for file sharing and collaboration in large enterprises, was infamously targeted last year by Clop ransomware attacks. These attacks affected at least 160 victims, including high profile organizations. The newly discovered vulnerability is an improper authentication issue in MOVEit’s SFTP module. According to Progress Software's security advisory, it affects versions 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2 of MOVEit Transfer. The advisory includes patching information and strongly urges administrators to apply these patches immediately due to the heightened risk of exploitation.

Security Officer Comments:
The Shadowserver Foundation has reported observing exploit attempts very shortly after the vulnerability details were published. There are at least 1,800 exposed instances online, although not all of them may be vulnerable. Additionally, Network scans by Censys indicate that there are currently around 2,700 internet-exposed MOVEit Transfer instances, most located in the US, UK, Germany, Canada, and the Netherlands. Researchers at watchTowr, who described the vulnerability as "truly bizarre," identified two attack scenarios. In the first scenario, an attacker could perform "forced authentication" using a malicious SMB server and a valid username, facilitated by a dictionary-attack approach. In the second, more dangerous scenario, a threat actor could impersonate any user on the system. They can upload an SSH public key to the server without logging in, then use that key to authenticate as any user. This would grant them the ability to read, modify, and delete previously protected and likely sensitive data.

Suggested Corrections:
Progress has addressed the MOVEit Transfer vulnerability and the Progress MOVEit team strongly recommends performing an upgrade to the latest versions:

• MOVEit Transfer 2023.0.11
• MOVEit Transfer 2023.1.6
• MOVEit Transfer 2024.0.2

In addition to CVE-2024-5806 a newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability.

Steps customers should take to mitigate the third-party vulnerability:

• Verify you have blocked public inbound RDP access to MOVEit Transfer server(s)
• Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)

When the third-party vendor releases a fix, it will be to MOVEit Transfer customers.

PLEASE NOTE: Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running. For customers on MOVEit Cloud, no further action is needed as the MOVEit Transfer patch has already been deployed to MOVEit Cloud. In addition, our MOVEit Cloud infrastructure is safeguarded against the recently disclosed third-party vulnerability through strict access controls on the underlying infrastructure.

Progress Disclosure:
https://community.progress.com/s/ar...curity-Alert-Bulletin-June-2024-CVE-2024-5806

Link(s):
https://www.darkreading.com/remote-workforce/fresh-moveit-bug-under-attack-disclosure
https://community.progress.com/s/ar...curity-Alert-Bulletin-June-2024-CVE-2024-5806
https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
https://censys.com/moveit-transfer-auth-bypass/
https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/