A new critical vulnerability affecting the MOVEit secure file transfer protocol has left enterprise users scrambling amid calls from security experts to patch immediately.
According to a security advisory from Progress Software, the vulnerability, tracked as CVE-2024-5806, is an improper authentication flaw that could allow an attacker to bypass the SFTP authentication process and access information stored on the MOVEit Transfer instance.
The advisory was updated later that day with additional details on a “newly identified vulnerability in a third-party component used in MOVEit Transfer [that] elevates the risk of the original issue mentioned above if left unpatched”.
To mitigate this third-party vulnerability, Progress Software advised customers to verify if they have blocked public inbound RDP access to their MOVEit Transfer servers and ensure they have limited outbound access to only known trusted endpoints from MOVEit Transfer servers.
The bug affects MOVEit Transfer versions 2023.0, 2023.1 and 2024.0, and Progress Software advises all customers using the affected versions to patch as soon as possible and implement the mitigation steps outlined above.
Enterprises should act quickly as non-profit security organization Shadowserver warned it had already observed attempts to exploit the flaw in the wild just hours after the details were published online.
According to Ryan Emmons, lead security researcher at Rapid7, the attacker would need some prior information before being able to leverage the vulnerability.
Emmons stated attackers would need a valid username, a target account that can authenticate remotely, and for the SFTP service to be exposed to the internet, in order to successfully exploit the bug.
Worryingly, it appears there is a wide selection of potential targets out there, as threat intelligence platform Censys found 2,700 instances of MOVEit Transfer that were exposed to the public internet, although the exact version of the software running in these instances was not confirmed.
A year after the Cl0p crisis, MOVEit finds itself in the spotlight once again
Almost exactly a year since the Russian cyber gang Cl0p exploited an SQL injection zero-day in MOVEit to cause widespread disruption, CVE-2024-5806 is a less than ideal way to mark this anniversary.
But analysis from Aliz Hammond and Sina Kheirkhah from watchTowr Labs claimed this flaw would have been harder for Progress to detect and eliminate than the one exploited in 2023.
“It should be noted that, while MOVEit has suffered some ‘no brainer’ vulnerabilities in the past (such as SQLi), this issue does not fall into the ‘simple-error-that-should-not-have-made-it-into-hardened-software’ category,” they argued.
“The vulnerability arises from the interplay between MOVEit and IPWorks SSH, and a failure to handle an error condition. This is not the kind of vulnerability that could be easily found by static analysis, for example.”
Andrew Bolster, senior research & development manager for data science at the Synopsys Software Integrity Group, noted that because the flaw directly impacts the authentication in the SFTP module, those organizations who have made the effort to secure their file transfer protocols are still exposed
"This latest vulnerability disclosure is particularly disheartening as it critically compromised customers who were making best practice efforts to utilize secure transfer techniques over SSH,” he explained.
"As such, even customers enforcing industry best practice policies, such as the NIST Secure Software Development Framework (SSDF) or ISO 27001, would be blindsided by this disclosure, which would have totally circumvented their other control measures.”
