Published: June 18, 2023

Overview

There are three critical vulnerabilities in MOVEit Transfer that have been recently disclosed by Progress Software.

The first vulnerability is CVE-2023-34362 which is a SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.

The second vulnerability is CVE-2023-35036 which allows unauthenticated access to compromise unpatched and Internet-exposed servers to steal customer information.

The third vulnerability is CVE-2023-35708 which is an SQL injection vulnerability that could allow an attacker to execute arbitrary SQL commands.

The CL0P ransomware group has exploited the first vulnerability, which has led to the compromise of several US government agencies and other companies. Progress Software Corporation has released patches for all the vulnerabilities and advises customers to apply patches and modify firewall rules to prevent further exploitation. 

Impact 

CVE-2023-34362 is a critical zero-day vulnerability in Progress Software’s MOVEit Transfer solution that allows for SQL injection, which can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. CVE-2023-35036 impacts all MOVEit Transfer versions and lets unauthenticated attackers compromise unpatched and Internet-exposed servers to steal customer information.

The CL0P ransomware gang claimed responsibility for the CVE-2023-34362 attacks, and they allegedly breached the MOVEit servers of “hundreds of companies”. CVE-2023-35708 is an SQL injection vulnerability that could allow an attacker to execute arbitrary SQL commands. These vulnerabilities can have serious consequences such as unauthorized access to sensitive data and customer information theft. 

Applicable Versions 

Affected VersionFixed Version (full installer)
MOVEit Transfer 2023.0.x (15.0.x)   MOVEit Transfer 2023.03 (15.0.3) 
MOVEit Transfer 2022.1.x (14.1.x)   MOVEit Transfer 2022.1.7 (14.1.7)   
MOVEit Transfer 2022.0.x (14.0.x)   MOVEit Transfer 2022.0.6 (14.0.6)   
MOVEit Transfer 2021.1.x (13.1.x)   MOVEit Transfer 2021.1.6 (13.1.6)   
MOVEit Transfer 2021.0.x (13.0.x)   MOVEit Transfer 2021.0.8 (13.0.8)   
MOVEit Transfer 2020.1.x (12.1)   Must update to at least 2020.1.6 then apply DLL Drop-ins above   
MOVEit Transfer 2020.0.x (12.0) or older   MUST upgrade to a supported version   
MOVEit Cloud   Prod: 14.1.6.97 or 14.0.5.45   Test: 15.0.2.39   

Mitigations and Workarounds 

Immediately disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:

  • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
  • It is important to note that until HTTP and HTTPs traffic is enabled again:
    • Users will not be able to log on to the MOVEit Transfer web UI
    • MOVEit Automation tasks that use the native MOVEit Transfer host will not work
    • REST, Java and .NET APIs will not work
    • MOVEit Transfer add-in for Outlook will not work
  • SFTP and FTP/s protocols will continue to work as normal
  • Apply the Patch - As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle.

The Cybersecurity and Infrastructure Security Agency (CISA) also urged organizations to review Progress’ advisory about the bug.

Best Practices 

It is a good practice to update the MOVEit Transfer application with the latest available versions. For more information and best practices on preventing and mitigating ransomware and data extortion incidents, refer to the resources listed on StopRansomware.gov – https://www.cisa.gov/stopransomware/ransomware-guide.

Netsurion Detection and Response 

Netsurion strictly follows the guidelines present in the ransomware-guide. Our security analysts have added the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect these three vulnerabilities. Netsurion’s vulnerability management system will also detect the vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) for customers who have subscribed to Netsurion Vulnerability Management.

References: 

  1. https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability 
  2. https://digital.nhs.uk/cyber-alerts/2023/cc-4342 
  3. https://nvd.nist.gov/vuln/detail/CVE-2023-34362  
  4. https://nvd.nist.gov/vuln/detail/CVE-2023-35036 
  5. https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023 
  6. https://thehackernews.com/2023/06/third-flaw-uncovered-in-moveit-transfer.html 
  7. https://therecord.media/third-moveit-vulnerability-raises-alarms 
  8. https://success.trendmicro.com/dcx/s/solution/000293538?language=en_US 
Cybersecurity Updates
Latest Advisory Alerts

Palo Alto PAN-OS Command Injection Vulnerability

D-Link NAS Command Injection Vulnerability

VMware ESXi, Workstation, and Fusion Vulnerabilities

Latest Data Source Integrations

AWS Key Management Service (KMS)

Have I Been Pwned

SentinelOne

Latest Enhancements

Netsurion Open XDR Now Supports PCI DSS 4.0

Extended Data Source Integrations and Alerts Released for Essentials

Enriched Application Control in Open XDR 9.4