A recently unveiled critical security vulnerability in Progress Software’s MOVEit Transfer platform has already become the target of exploitation attempts. The details of the flaw were made public only recently, highlighting the urgency for users to implement necessary patches to safeguard their systems.
The Vulnerability Details
The vulnerability, identified as CVE-2024-5806, carries a high CVSS score of 9.1, indicating its severe nature. This flaw is an authentication bypass vulnerability affecting several versions of MOVEit Transfer:
- Versions from 2023.0.0 to before 2023.0.11
- Versions from 2023.1.0 to before 2023.1.6
- Versions from 2024.0.0 to before 2024.0.2
Progress Software issued an advisory on Tuesday, explaining the nature of the flaw: “Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.” This means that the flaw could allow unauthorized users to bypass authentication mechanisms, potentially gaining unauthorized access to MOVEit Transfer systems.
Exploitation and Technical Specifics
Security researchers from watchTowr Labs, including Aliz Hammond and Sina Kheirkhah, have provided additional technical details about CVE-2024-5806. They warned that this vulnerability could be exploited to impersonate any user on the affected server. The flaw is actually a combination of two separate vulnerabilities: one inherent in Progress MOVEit and another in the IPWorks SSH library.
While the more severe issue, the ability to impersonate arbitrary users, is unique to MOVEit, the researchers pointed out that the related forced authentication vulnerability could affect any application using the IPWorks SSH server. This exacerbates the risk if left unpatched.
Mitigation Steps
Progress Software has emphasized the importance of addressing these vulnerabilities promptly. They recommend two key steps to mitigate potential risks:
- Block public inbound RDP access to MOVEit Transfer servers.
- Limit outbound access to only known trusted endpoints from MOVEit Transfer servers.
Additionally, another critical SFTP-associated authentication bypass vulnerability (CVE-2024-5805, also with a CVSS score of 9.1) affecting MOVEit Gateway version 2024.0.0 has been addressed by Progress Software. Successful exploitation of these flaws could enable attackers to bypass SFTP authentication and gain unauthorized access to MOVEit Transfer and Gateway systems.
Prerequisites for Exploitation
According to cybersecurity firm Rapid7, there are three prerequisites for leveraging CVE-2024-5806:
- Knowledge of an existing username.
- The target account must be capable of remote authentication.
- The SFTP service must be publicly accessible over the internet.
Global Exposure and Immediate Action
Data from Censys indicates that as of June 25, approximately 2,700 MOVEit Transfer instances are accessible online. These instances are primarily located in the U.S., the U.K., Germany, the Netherlands, Canada, Switzerland, Australia, France, Ireland, and Denmark.
Given the critical nature of this vulnerability and the widespread presence of MOVEit Transfer instances, it is imperative for users to act swiftly. The urgency is further underscored by the recent history of similar vulnerabilities being exploited. For instance, last year, the MOVEit Transfer platform was heavily targeted in Cl0p ransomware attacks exploiting CVE-2023-34362, which had a CVSS score of 9.8.
Broader Cybersecurity Context
This development is part of a broader trend of critical vulnerabilities being targeted by malicious actors. For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently disclosed an intrusion into its Chemical Security Assessment Tool (CSAT). This incident, which occurred earlier in January, involved the exploitation of security flaws in the Ivanti Connect Secure (ICS) appliance, tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.
CISA reported that this intrusion might have led to the potential unauthorized access of sensitive information, including Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts. However, the agency noted that there was no evidence of data exfiltration.
Global Exposure and Immediate Action
In light of the ongoing exploitation attempts and the severe impact of the vulnerabilities, it is crucial for organizations using MOVEit Transfer and MOVEit Gateway to update their systems immediately. Failure to do so could result in significant security breaches, potentially compromising sensitive data and critical operations. Regular updates and adherence to security advisories are essential practices in maintaining robust cybersecurity defenses.
Follow us on 
(Twitter) for real time updates and exclusive content.
Pingback: Critical Vulnerability in Fortra FileCatalyst Workflow: CVE-2024-5276