Published: June 18, 2023
There are three critical vulnerabilities in MOVEit Transfer that have been recently disclosed by Progress Software.
The first vulnerability is CVE-2023-34362 which is a SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.
The second vulnerability is CVE-2023-35036 which allows unauthenticated access to compromise unpatched and Internet-exposed servers to steal customer information.
The third vulnerability is CVE-2023-35708 which is an SQL injection vulnerability that could allow an attacker to execute arbitrary SQL commands.
The CL0P ransomware group has exploited the first vulnerability, which has led to the compromise of several US government agencies and other companies. Progress Software Corporation has released patches for all the vulnerabilities and advises customers to apply patches and modify firewall rules to prevent further exploitation.
CVE-2023-34362 is a critical zero-day vulnerability in Progress Software’s MOVEit Transfer solution that allows for SQL injection, which can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. CVE-2023-35036 impacts all MOVEit Transfer versions and lets unauthenticated attackers compromise unpatched and Internet-exposed servers to steal customer information.
The CL0P ransomware gang claimed responsibility for the CVE-2023-34362 attacks, and they allegedly breached the MOVEit servers of “hundreds of companies”. CVE-2023-35708 is an SQL injection vulnerability that could allow an attacker to execute arbitrary SQL commands. These vulnerabilities can have serious consequences such as unauthorized access to sensitive data and customer information theft.
|Affected Version||Fixed Version (full installer)|
|MOVEit Transfer 2023.0.x (15.0.x)||MOVEit Transfer 2023.03 (15.0.3)|
|MOVEit Transfer 2022.1.x (14.1.x)||MOVEit Transfer 2022.1.7 (14.1.7)|
|MOVEit Transfer 2022.0.x (14.0.x)||MOVEit Transfer 2022.0.6 (14.0.6)|
|MOVEit Transfer 2021.1.x (13.1.x)||MOVEit Transfer 2021.1.6 (13.1.6)|
|MOVEit Transfer 2021.0.x (13.0.x)||MOVEit Transfer 2021.0.8 (13.0.8)|
|MOVEit Transfer 2020.1.x (12.1)||Must update to at least 2020.1.6 then apply DLL Drop-ins above|
|MOVEit Transfer 2020.0.x (12.0) or older||MUST upgrade to a supported version|
|MOVEit Cloud||Prod: 188.8.131.52 or 184.108.40.206 Test: 220.127.116.11|
Mitigations and Workarounds
Immediately disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
- It is important to note that until HTTP and HTTPs traffic is enabled again:
- Users will not be able to log on to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- MOVEit Transfer add-in for Outlook will not work
- SFTP and FTP/s protocols will continue to work as normal
- Apply the Patch - As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle.
The Cybersecurity and Infrastructure Security Agency (CISA) also urged organizations to review Progress’ advisory about the bug.
It is a good practice to update the MOVEit Transfer application with the latest available versions. For more information and best practices on preventing and mitigating ransomware and data extortion incidents, refer to the resources listed on StopRansomware.gov – https://www.cisa.gov/stopransomware/ransomware-guide.
Netsurion Detection and Response
Netsurion strictly follows the guidelines present in the ransomware-guide. Our security analysts have added the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect these three vulnerabilities. Netsurion’s vulnerability management system will also detect the vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) for customers who have subscribed to Netsurion Vulnerability Management.