Contents:
A new critical authentication bypass flaw in Progress MOVEit Transfer was disclosed, and threat actors are already trying their best to exploit it.
The new security flaw, which goes by the number CVE-2024-5806, enables attackers to get around the Secure File Transfer Protocol (SFTP) module’s authentication procedure, which is in charge of handling file transfers over SSH.
MOVEit Transfer is a managed file transfer (MFT) solution used by businesses to transfer files securely between partners and customers using the SFTP, SCP, and HTTP protocols.
What Do We Know About the Vulnerability?
By leveraging this vulnerability, an attacker might upload, download, remove, or alter files, intercept or interfere with file transfers, and get access to sensitive data kept on the MOVEit Transfer server.
The security NGO Shadowserver Foundation reported seeing exploitation attempts shortly after Progress announced the vulnerability, meaning that threat actors are already attacking vulnerable endpoints.
Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet – please do so now: https://t.co/AenLgqg1wM
— The Shadowserver Foundation (@Shadowserver) June 25, 2024
Cybersecurity researchers indicated that there are already around 2,700 internet-exposed MOVEit Transfer instances, over 2,000 of them located in the United States, and others in the UK, Germany, Canada, the Netherlands, Switzerland, France, and more.
Progress released security updates to patch the vulnerability. The percentage of those who haven’t applied the patches or mitigated the third-party flaw is unknown.
The offensive security company watchTowr released technical details about the vulnerability, how it may be exploited, and what defenders should look for in the logs to check for evidence of exploitation, which is when ShadowServer reported exploitation attempts.
Additionally, watchTowr offers a technical analysis of how attackers might force the server to authenticate using attacker-controlled pathways by manipulating SSH public key paths, which could expose Net-NTLMv2 hashes.
Furthermore, vulnerability researchers Sina Kheirkhah and Aliz Hammond of watchTowr have already made the proof-of-concept exploit code for CVE-2024-5806 publicly available.
Progress Releases Patches to Fix the Vulnerability
Progress mentioned in the security bulletin they released that CVE-2024-5806 impacts the following product versions:
- 2023.0.0 before 2023.0.11;
- 2023.1.0 before 2023.1.6;
- 2024.0.0 before 2024.0.2.
Updates were released for MOVEit Transfer versions 2023.0.11, 2023.1.6, and 2024.0.2, which may be accessed through the Progress Community website.
Customers without a maintenance agreement should immediately contact the Renewals team or Progress partner representative to solve the issue. MOVEit Cloud customers will have their patched automatically deployed.
Apart from the vulnerability itself, Progress also reports that it raised the risks related to CVE-2024-5806 by finding another vulnerability on a third-party component used in MOVEit Transfer.
Sysadmins are advised to restrict outbound connections to known/trusted destinations and disable Remote Desktop Protocol (RDP) access to the MOVEit Transfer servers in order to mitigate this problem until a remedy from the third-party vendor is made available.
Progress also released a security bulletin about a similar authentication bypass issue, CVE-2024-5805, which impacts MOVEit Gateway 2024.0.0.
If you liked this piece, you can find more on the blog. Follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.