Want relief keeping up with product patching, upgrades, and more?  Learn how our Managed Services for law firms can help you.

MOVEit Transfer Zero-day Vulnerability

June 15, 2023

Cornerstone.IT Gold Microsoft Partner

If you have been watching the vulnerability space, you know by now about the MOVEit utility security issues. Just today, the news is breaking that several US government agencies have been affected.

We are strongly encouraging everyone to remediate this risk.
Information and Instructions can be found below.

What is the MOVEit Critical Vulnerability all about?

Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch.

Issue

SQL Injection (CVE-2023-34362)

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.

Who is affected?

All MOVEit Transfer versions are affected by this vulnerability. See the table below for the security patch for each supported version. Customers on unsupported versions should upgrade to one of the supported fixed versions below.

Based on our review of this situation to date, the following products are not susceptible to this SQL Injection Vulnerability in MOVEit Transfer: MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. At this time, no action is necessary for the above-mentioned products.

To help prevent successful exploitation of the mentioned SQLi vulnerability to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures per the steps below.

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment

More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.

It is important to note, that until HTTP and HTTPS traffic is enabled again:

  • Users will not be able to log on to the MOVEit Transfer web UI
  • MOVEit Automation tasks that use the native MOVEit Transfer host will not work
  • REST, Java and .NET APIs will not work
  • MOVEit Transfer add-in for Outlook will not work

Please note: SFTP and FTP/s protocols will continue to work as normal
Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help.

2. Review, Delete and Reset

a.      Delete Unauthorized Files and User Accounts

i.           Delete any instances of the human2.aspx and .cmdline script files.

ii.           On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.

iii.           On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline

iv.           Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.

v.           Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide.

vi.           Review IIS logs for any events including GET /human2.aspx.  Large numbers of log entries or entries with large data sizes may indicate unexpected file downloads

vii.           If applicable, review Azure logs for unauthorized access to Azure Blob Storage Keys and consider rotating any potentially affected keys. 

b.      Reset Credentials

i.           Reset service account credentials for affected systems and MOVEit Service Account. See KB 000115941.

3. Apply the Patch

Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same to apply the patch.

Affected VersionFixed VersionDocumentation
MOVEit Transfer 2023.0.0 (15.0)MOVEit Transfer 2023.0.1MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x (14.1)MOVEit Transfer 2022.1.5MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x (14.0)MOVEit Transfer 2022.0.4
MOVEit Transfer 2021.1.x (13.1)MOVEit Transfer 2021.1.4MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.x (13.0)MOVEit Transfer 2021.0.6
MOVEit Transfer 2020.1.x (12.1)Special Patch AvailableSee KB 000234559
MOVEit Transfer 2020.0.x (12.0) or olderMUST upgrade to a supported versionSee MOVEit Transfer Upgrade and Migration Guide
MOVEit CloudMOVEit Transfer 14.1.4.94
MOVEit Transfer 14.0.3.42
All MOVEit Cloud systems are fully patched at this time.
Cloud Status Page

4. Verification

a.      To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you do find indicators of compromise, you should reset the service account credentials again.

5. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment

6. Continuous Monitoring

a.      Monitor network, endpoints, and logs for IoCs (Indicators of Compromise) as listed in the table below.

Additional Security Best Practices

If you are unable to follow the recommended mitigation steps above, we strongly suggest taking the below security steps to help reduce risk to your MOVEit Transfer environment from unauthorized access. It’s important to note, these are not considered mitigation steps to the mentioned vulnerability.

Please see here for MOVEit Security Best Practices.

  • Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
  • Review and remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
  • Update remote access policies to only allow inbound connections from known and trusted IP addresses. For more information on restricting remote access, please refer to SysAdmin Remote Access Rules and Security Policies Remote Access guide.
  • Allow inbound access only from trusted entities (e.g., using certificate-based access control).
  • Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user’s account password is lost, stolen, or compromised. To enable MFA, please refer to the MOVEit Transfer Multi-factor Authentication Documentation.

Indicators of Compromise

See file attachment cve-2023-34362.csv

If you do notice any of the indicators noted above, please immediately contact your security and IT teams and open a ticket with Progress Technical Support at: https://community.progress.com/s/supportlink-landing

Source:

Contact Cornerstone.IT for assistance with this or any other technology or security needs.