Heimdal
article featured image

Contents:

A new critical authentication bypass flaw in Progress MOVEit Transfer was disclosed, and threat actors are already trying their best to exploit it.

The new security flaw, which goes by the number CVE-2024-5806, enables attackers to get around the Secure File Transfer Protocol (SFTP) module’s authentication procedure, which is in charge of handling file transfers over SSH.

MOVEit Transfer is a managed file transfer (MFT) solution used by businesses to transfer files securely between partners and customers using the SFTP, SCP, and HTTP protocols.

What Do We Know About the Vulnerability?

By leveraging this vulnerability, an attacker might upload, download, remove, or alter files, intercept or interfere with file transfers, and get access to sensitive data kept on the MOVEit Transfer server.

The security NGO Shadowserver Foundation reported seeing exploitation attempts shortly after Progress announced the vulnerability, meaning that threat actors are already attacking vulnerable endpoints.


Cybersecurity researchers indicated that there are already around 2,700 internet-exposed MOVEit Transfer instances, over 2,000 of them located in the United States, and others in the UK, Germany, Canada, the Netherlands, Switzerland, France, and more.

Progress released security updates to patch the vulnerability. The percentage of those who haven’t applied the patches or mitigated the third-party flaw is unknown.

The offensive security company watchTowr released technical details about the vulnerability, how it may be exploited, and what defenders should look for in the logs to check for evidence of exploitation, which is when ShadowServer reported exploitation attempts.

Additionally, watchTowr offers a technical analysis of how attackers might force the server to authenticate using attacker-controlled pathways by manipulating SSH public key paths, which could expose Net-NTLMv2 hashes.

Furthermore, vulnerability researchers Sina Kheirkhah and Aliz Hammond of watchTowr have already made the proof-of-concept exploit code for CVE-2024-5806 publicly available.

Progress Releases Patches to Fix the Vulnerability

Progress mentioned in the security bulletin they released that CVE-2024-5806 impacts the following product versions:

  • 2023.0.0 before 2023.0.11;
  • 2023.1.0 before 2023.1.6;
  • 2024.0.0 before 2024.0.2.

Updates were released for MOVEit Transfer versions 2023.0.11, 2023.1.6, and 2024.0.2, which may be accessed through the Progress Community website.

Customers without a maintenance agreement should immediately contact the Renewals team or Progress partner representative to solve the issue. MOVEit Cloud customers will have their patched automatically deployed.

Apart from the vulnerability itself, Progress also reports that it raised the risks related to CVE-2024-5806 by finding another vulnerability on a third-party component used in MOVEit Transfer.

Sysadmins are advised to restrict outbound connections to known/trusted destinations and disable Remote Desktop Protocol (RDP) access to the MOVEit Transfer servers in order to mitigate this problem until a remedy from the third-party vendor is made available.

Progress also released a security bulletin about a similar authentication bypass issue, CVE-2024-5805, which impacts MOVEit Gateway 2024.0.0.

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE