Published: July 11, 2023

Overview

Progress Software has disclosed three (3) new vulnerabilities (CVE-2023-36934, CVE-2023-36932, CVE-2023-36933) in MOVEit Transfer. A cyber threat actor could exploit some of these vulnerabilities to obtain sensitive information. These are new vulnerabilities in addition to the three MOVEit vulnerabilities disclosed in May and June 2023 (CVE-2023- is CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708).

CVE-2023-36932 (CVSS score 6.8) is a SQL injection vulnerability that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. CVE-2023-36933 (CVSS score 5.3) is a vulnerability that allows attackers to unexpectedly shut down the MOVEit Transfer program. CVE-2023-36934 (CVSS score 9.8) is a critical SQL injection vulnerability that could allow a remote, unauthenticated attacker to bypass authentication, gain access to the environment, and access or modify MOVEit database content. CISA encourages users to review Progress Software’s MOVEit Transfer article and apply product updates as applicable for security improvements.

Impact 

CVE-2023-36934 is a critical SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. This could allow the attacker to steal sensitive data, such as user credentials, files, and other information.

CVE-2023-36932 is a denial-of-service (DoS) vulnerability that could cause a MOVEit Transfer server to crash. This could disrupt file transfers and other operations and could also make the server unavailable to legitimate users.

CVE-2023-36933 is a vulnerability that could allow an attacker to terminate a MOVEit Transfer application unexpectedly. This could disrupt file transfers and other operations and could also make the application unavailable to legitimate users.

The impact of these vulnerabilities could be significant. If an attacker is able to gain unauthorized access to the MOVEit Transfer database, they could steal sensitive data, which could lead to identity theft, financial loss, or other problems. If an attacker is able to cause a MOVEit Transfer server to crash, they could disrupt file transfers and other operations.

Applicable Versions 

Affected VersionFixed Version (full installer)
MOVEit Transfer 2023.0.x (15.0.x)MOVEit Transfer 2023.0.4 (15.0.4)
MOVEit Transfer 2022.1.x (14.1.x)MOVEit Transfer 2022.1.8 (14.1.8)
MOVEit Transfer 2022.0.x (14.0.x)MOVEit Transfer 2022.0.7 (14.0.7)
MOVEit Transfer 2021.1.x (13.1.x)MOVEit Transfer 2021.1.7 (13.1.7)
MOVEit Transfer 2021.0.x (13.0.x)   MOVEit Transfer 2021.0.9 (13.0.9)
MOVEit Transfer 2020.1.6 (12.1.6) or laterSpecial Service Pack Available
MOVEit Transfer 2020.0.x (12.0.x) or olderMust Upgrade to a Supported Version

Mitigations and Workarounds 

Apply the July 2023 service pack provided by Progress software.  If patching is not feasible, disable all HTTP and HTTPS traffic to your MOVEit Transfer environment by adding firewall deny rules to ports 80 and 443. It is highly recommended to enable logging. Additionally, organizations are advised to review logs for unexpected downloads of files.

The Cybersecurity and Infrastructure Security Agency (CISA) also urged organizations to review Progress’ advisory about the bug.

Best Practices 

The following are the best practices to prevent the MOVEit vulnerabilities from being exploited. Delete all unauthorized files and accounts. Reset service account credentials. Enable logging and review logs for unexpected downloads of files. Implement a vulnerability scanner, penetration testing, and hardening techniques. Monitor your system diligently and update your IOCs.

It is a good practice to update the MOVEit Transfer application with the latest available versions. For more information and best practices on preventing and mitigating ransomware and data extortion incidents, refer to the resources listed on StopRansomware.gov – https://www.cisa.gov/stopransomware/ransomware-guide.

Netsurion Detection and Response 

Netsurion follows strictly the guidelines present in the ransomware-guide. Our security analysts add the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect these three vulnerabilities. Netsurion’s vulnerability management system will also detect the vulnerability (CVE-2023-36932, CVE-2023-36933, CVE-2023-36934) for customers who have subscribed to Netsurion Vulnerability Management.

References: 

  1. https://www.cisa.gov/news-events/alerts/2023/07/07/progress-software-releases-service-pack-moveit-transfer-vulnerabilities
  2. https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-July-2023
  3. https://thehackernews.com/2023/07/another-critical-unauthenticated-sqli.html
  4. https://digital.nhs.uk/cyber-alerts/2023/cc-4351
  5. https://nvd.nist.gov/vuln/detail/CVE-2023-36932
  6. https://nvd.nist.gov/vuln/detail/CVE-2023-36933
  7. https://nvd.nist.gov/vuln/detail/CVE-2023-36934
Cybersecurity Updates
Latest Advisory Alerts

Palo Alto PAN-OS Command Injection Vulnerability

D-Link NAS Command Injection Vulnerability

VMware ESXi, Workstation, and Fusion Vulnerabilities

Latest Data Source Integrations

AWS Key Management Service (KMS)

Have I Been Pwned

SentinelOne

Latest Enhancements

Netsurion Open XDR Now Supports PCI DSS 4.0

Extended Data Source Integrations and Alerts Released for Essentials

Enriched Application Control in Open XDR 9.4