Recently Disclosed Progress MOVEit Transfer Flaw Observed Being Actively Exploited
27 June 2024 at 20:31
A newly disclosed vulnerability in Progress MOVEit Transfer has sparked concern among cybersecurity experts due to the lingering memory of high-profile attacks by ransomware gangs using a different vulnerability last year that hit organizations such as the BBC and FBI. The new authentication bypass flaw, officially designated CVE-2024-5806, could potentially allow unauthorized access to sensitive data.
MOVEit Transfer, designed for large-scale enterprise use, boasts features compliant with regulations like PCI and HIPAA. It offers various file transfer methods, including SFTP and HTTPS, making it a critical component in many organizations' data management infrastructure.
Progress initially kept details of CVE-2024-5806 under wraps, advising customers to patch systems before its disclosure. On June 25th, 2024, Progress officially un-embargoed the vulnerability, revealing that it affects both MOVEit Transfer version 2023.0 and newer, as well as MOVEit Gateway version 2024.0 and newer.
Progress MOVEit Vulnerability Details
WatchTowr Labs was sent details of the vulnerability by a user who identified as 'dav1d_bl41ne' on its IRC channel, an unusual method of vulnerability sharing, the researchers noted. The researchers decided to investigate further, setting up a test environment to replicate the vulnerability. [caption id="attachment_79318" align="alignnone" width="471"] Source: labs.watchtowr.com[/caption] The debugger output from the test environment showed that the server was throwing exceptions and attempting to access files in unexpected ways. Upon further investigation, the researchers discovered that the vulnerability could be exploited by providing a valid file path instead of the SSH public key during authentication. This led to the server attempting to access the file, giving the attacker unauthorized access to the system. The researchers shared the following steps on exploiting the vulnerability:- Upload a public key to the File Transfer server.
- Rather than supplying a legitimate public key, send a file path to the public key, signing the authentication request with the same public key.
- The key will be accepted by the server with successful login, allowing for the access of target files.
- Block public inbound RDP access to MOVEit Transfer server(s).
- Limit outbound access on MOVEit Transfer server(s) to only trusted endpoints.