MOVEit Transfer Critical Vulnerability Being Exploited
Access Point Consulting
Hands-on cybersecurity for small to mid-sized companies.
CVE-2024-5806
Report by Matthew Fagan and Alexander Marshall, Access Point Consulting
Summary
CVE-2024-4806 (CVSS3.1: 9.1) affects multiple versions of the Progress MOVEit Transfer (SFTP Module) and allows Authentication Bypass. The Shadowserver foundation has reported that after the CVE was published exploit attempts were immediately made against vulnerable MOVEit Transfer instances. Proof-of-Concept exploit code as well as a detailed technical writeup of the vulnerability was created by the security researchers at WatchTowr on June 25th , 2024. It is advised by WatchTowr and Progress to update your MOVEit Transfer instance to the latest version.
The Vulnerability
If the vulnerability is exploited, it can allow an authentication bypass which essentially allows an unauthorized attacker to have access to integral company details. This vulnerability affects MOVEit Transfer from versions 2023.0.0-2023.0.11, 2023.1.0-2023.1.6, and 2024.0.0-2024.0.2.
According to WatchTowr, there are two main attacks which can be done through the exploit, Forced Authentication and Assuming the Identity of Arbitrary users. The first attack demonstrated was determined to be limited in practical use due to MOVEit’s security measures. The latter attack is the most devastating which allows the attacker to authenticate fully as any type of user and utilize their permissions. Much more detailed explanations are provided by WatchTowr in their report.
Exploitation of this vulnerability can lead to a compromise of the MOVEit transfer server as an attacker would be able to impersonate a user. This can lead to data loss and exfiltration, monetary, as well as reputational loss. Depending on the type of data stored and used with this server the amount of sway the attacker would have over the organization’s underlying operations and data could be monumental.
领英推荐
Remediation?
It is advised to get the latest upgrade to the version of MOVEit transfer you have. Depending on which version of MOVEit transfer that you have will depend on which upgrade you will need.
Recommendations?
Patching: Upgrading to the latest version of MOVEit Transfer will remediate the vulnerability.? It is advised to do this in an accelerated cadence due to active exploitation reports.
Mitigations: Proper exploitation of this attack requires knowledge of a valid username on the system. Renaming default accounts and creating custom usernames will help prevent this from being exploited. In addition to this, whitelisting only certain IP addresses will prevent an attacker from being able to perform an exploit. A username must pass any IP-based restrictions so whitelisting will help reduce risk.?