Progress Software has recently disclosed two critical-severity authentication bypass vulnerabilities in its MOVEit Gateway and Transfer products [5].
Description
The vulnerabilities, known as CVE-2024-5806 and CVE-2024-5805, impact specific versions of MOVEit Transfer and Gateway. CVE-2024-5806 affects MOVEit Transfer versions prior to 2023.0.11, 2023.1.6, and 2024.0.2 [2], allowing attackers to bypass authentication in the SSH File Transfer Protocol (SFTP) module and potentially gain unauthorized access to sensitive data. Exploitation of CVE-2024-5806 requires knowledge of an existing username [3], remote authentication capability [3], and exposed SFTP service [3]. Additionally, a third-party vulnerability in MOVEit Transfer has been identified [1], further increasing the risk if left unpatched [1]. CVE-2024-5805 impacts MOVEit Gateway version 2024.0.0, also leading to an authentication bypass [6]. Threat actors have been actively targeting these vulnerabilities, with exploit code publicly available and exploit attempts reported. A security vendor observed exploitation attempts shortly after disclosure [3], with threat actors likely to target the vulnerability due to publicly available exploit code [3]. The Shadowserver Foundation has observed exploit attempts against its honeypots [4]. Security researchers have provided technical details on CVE-2024-5806 [6], highlighting the potential for impersonating any user on the server [6]. This vulnerability comprises two separate flaws [6], one in Progress MOVEit and the other in the IPWorks SSH library [6], with the capability to impersonate arbitrary users specific to MOVEit [6]. Rapid7 has recommended the immediate installation of patches provided by Progress to mitigate the risks posed by CVE-2024-5806. Recommendations include upgrading to the latest fixed versions and mitigating the third-party vulnerability in IPWorks SSH [3]. This incident follows a series of vulnerabilities in the MOVEit product range discovered in 2023 [4], resulting in successful supply chain attacks impacting organizations globally [4]. Administrators are advised to prioritize assessing their vulnerability and implementing appropriate measures, such as blocking inbound RDP access and restricting outbound access to trusted endpoints [1].
Conclusion
The vulnerabilities in Progress Software’s MOVEit products pose significant risks to organizations, with threat actors actively exploiting them. Immediate installation of patches and mitigation of third-party vulnerabilities are crucial to safeguard sensitive data and prevent unauthorized access. Administrators should remain vigilant and take necessary steps to secure their systems against potential attacks.
References
[1] https://arstechnica.com/security/2024/06/critical-moveit-vulnerability-puts-huge-swaths-of-the-internet-at-severe-risk/
[2] https://www.scmagazine.com/news/new-moveit-critical-bug-sees-swift-exploitation-attempts
[3] https://arcticwolf.com/resources/blog/cve-2024-5805-cve-2024-5806/
[4] https://www.infosecurity-magazine.com/news/progress-new-vulnerabilities-moveit/
[5] https://duo.com/decipher/critical-moveit-authentication-bypass-flaws-fixed
[6] https://thehackernews.com/2024/06/new-moveit-transfer-vulnerability-under.html
