Progress quietly fixes MOVEit auth bypass flaws (CVE-2024-5805, CVE-2024-5806)
Progress Software has patched one critical (CVE-2024-5805) and one high-risk (CVE-2024-5806) vulnerability in MOVEit, its widely used managed file transfer (MFT) software product.
According to WatchTowr Labs researchers, the company has been privately instructing users to implement the hotfixes before they go public with the information.
About the vulnerabilities
CVE-2024-5805 is an improper authentication vulnerability in MOVEit Gateway, which serves as a proxy so that MOVEit Transfer – the actual managed file transfer software – can receive inbound connections when deployed behind a firewall.
The vulnerability affects the solution’s SFTP module and allows attackers to bypass authentication. It affects MOVEit Gateway v2024.0.0 and has been fixed in v2024.0.1 earlier this month.
“Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running,” Progress Software warned.
The same warning has been given to those that will upgrade their MOVEit Transfer installations to fix CVE-2024-5806, a less critical (but still serious) improper authentication flaw affecting the solution’s SFTP module. CVE-2024-5806 can lead to authentication bypass “in limited scenarios,” the company said.
That vulnerability affects MOVEit Transfer versions:
- From v2023.0.0 before v2023.0.11
- From v2023.1.0 before v2023.1.6
- From v2024.0.0 before v2024.0.2.
Customers with on-premises installations are advised to upgrade to one of the fixed versions.
While CVE-2024-5805 did not affect MOVEit Cloud (because it does not use MOVEit Gateway), CVE-2024-5806 affected customers using the MOVEit Cloud environment, but has been since patched, the company noted.
CVE-2024-5805 was privately disclosed by one Max Hase, but it is still unknown how and by whom CVE-2024-5806 was discovered. It might just be that the disclosure of the former spurred the company to check whether MOVEit Transfer had a similar one, and they found the latter.
A PoC for CVE-2024-5806
WatchTowr Labs researchers have been privately alerted to the existence of a flaw in Progress MOVEit Transfer that could lead to an authentication bypass, as well as the fact that Progress has been sending emails to customers urging them to patch and is supposed to reveal its existence on Tuesday, June 25, 2024.
Progress has released the associated security advisories and WatchTowr researchers have published an extremely detailed account of their search for the flaw and how they managed to exploit it, and a PoC exploit for CVE-2024-5806.
“The vulnerability arises from the interplay between MOVEit and IPWorks SSH, and a failure to handle an error condition,” they found.
They also pointed out that while it’s a pretty bad attack, attackers must have knowledge of a valid users on the vulnerable system.
“Although this is a low bar for attackers to overcome, it will help limit the progress of automated attacks,” they explained, and noted that IP-based access restrictions may reduce the risk of exploitation. They also shared specific entries in the solution’s logs that can server as an indicator of exploitation.
Rapid7 security researcher Ryan Emmons succinctly noted that “the known criteria for exploitation are threefold: that attackers have knowledge of an existing username, that the target account can authenticate remotely, and that the SFTP service is exposed,” and said that attackers may spray usernames to identify valid accounts.
MOVEit installations were infamously massively exploited last year by the Cl0p ransomware gang via a zero-day vulnerability, but WatchTowr researchers say that since Progress has been contacting customers for weeks/months to patch this issue, they do not expect anyone to still be vulnerable due to the embargo.
UPDATE (June 26, 2024, 11:50 a.m. ET):
As expected, CVE-2024-5806 exploitation attempts have already begun.
UPDATE (June 27, 2024, 03:45 a.m. ET):
Progress now deems CVE-2024-5806 to be critical, because of a newly identified vulnerability in a third-party component used in MOVEit Transfer.
“While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”
Companies are advised to implement the updates AND:
- Block public inbound RDP access to MOVEit Transfer server(s)
- Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)
“When the third-party vendor releases a fix, we will make that available to MOVEit Transfer customers.”
Censys “sees” 2,700 instances of MOVEit Transfer online, mostly in the US and Europe.
“The similarities between Censys-observed MOVEit Transfer exposure in 2023 versus 2024 may indicate how vital MOVEit is to the organizations where it is in use. While we didn’t necessarily expect a drastic drop in MOVEit Transfer exposure following the 2023 campaign by Clop, the similarity in the exposure numbers serves as a reminder that once enterprise software is in place, it often stays in place, even in the face of massive exploitation,” the Censys Research Team commented.