On June 25, 2024, Progress Software, the parent company of the MOVEit software suite, officially released details for two critical vulnerabilities identified in MOVEit Gateway and MOVEit Transfer, CVE-2024-5805 and CVE-2024-5806 respectively.
MOVEit Transfer is a managed file transfer solution that supports the exchange of files and data between servers, systems and applications within and between organizations. MOVEit Gateway is a proxy service that works in conjunction with MOVEit Transfer and allows hosting the MOVEit Transfer service on internal network while placing the Gateway within a DMZ to facilitate external access.
Both these vulnerabilities in MOVEit Gateway and MOVEit Transfer stem from improper authentication as implemented in the SFTP module which can lead to Authentication Bypass, in-turn leading to unauthorized access. CVE-2024-5805 was assigned a Base CVSS score of 9.1 earning a critical severity rating while CVE-2024-5806 was initially assigned a CVSS score of 7.4. On June 26, 2024, Progress Software updated their description for CVE-2024-5806 stating “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched.” Consequently, the CVSS score was elevated to a matching critical score of 9.1.
The newly identified vulnerability is likely in reference to a vulnerability found in IPWorks SSH, a server library utilized by the MOVEit software suite to handle key pair authentication and other lower-level SSH operations. A writeup from WatchTowr Labs states that the original identified vulnerability in MOVEit Transfer, “arises from the interplay between MOVEit and IPWorks SSH, and a failure to handle an error condition.”
The following versions of MOVEit Transfer are vulnerable to CVE-2024-5806:
- From 2023.0.0 before 2023.0.11
- From 2023.1.0 before 2023.1.6
- From 2024.0.0 before 2024.0.2
The following versions of MOVEit Gateway are vulnerable to CVE-2024-5805:
- 2024.0.0
From testing, Rapid 7 identified the following three criteria required for successful authentication bypass exploiting CVE-2024-5806: “that attackers have knowledge of an existing username, that the target account can authenticate remotely, and that the SFTP service is exposed.”
The Shadowserver Foundation reports that active attempts to exploit CVE-2024-5806 have been observed in the wild following the publication of the aforementioned writeup by WatchTowr Labs. Censys also reports ~2,700 instances of MOVEit Transfers are present online, primarily within the United States, U.K., and Germany. Given the widespread abuse of another critical MOVEit Transfer vulnerability (CVE-2023-34362, CVSS score: 9.8) in a series of Cl0p ransomware attacks last year, it is crucial for users to promptly update to the latest versions.
Progress Software has released patches to address these vulnerabilities in MOVEit Transfer and MOVEit Gateway. They strongly recommend upgrading to the latest patched versions of MOVEit Transfer 2023.0.11, 2023.1.6, and 2024.0.2 immediately. To address the Vulnerability present in MOVEit Gateway, they recommend upgrading to 2024.0.1.
Following the identification of the “Third Party Vulnerability”, Progress Software has also recommended blocking all “public inbound RDP access to MOVEit Transfer server(s)” as well as limiting “outbound access to only known trusted endpoints from MOVEit Transfer server(s)”.
Progress Software also notes that “For customers on MOVEit Cloud, no further action is needed as the MOVEit Transfer patch has already been deployed to MOVEit Cloud.”
Centripetal’s CleanINTERNET® can assist in detecting unauthorized connections or exploit attempts provided any MOVEit Appliances are seated behind a RuleGATE device.
If you currently use either MOVEit Transfer or MOVEit Gateway, please contact support@centripetal.ai.
Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.
Resources:
- MOVEit Gateway Critical Security Alert Bulletin
- MOVEit Transfer Critical Security Alert Bulletin
- Vulnerability Details : CVE-2024-5805
- Vulnerability Details : CVE-2024-5806
- Auth. Bypass In (Un)Limited Scenarios – Progress MOVEit Transfer (CVE-2024-5806)
- MOVEit Transfer: Auth bypass and a look at exposure
- MOVEit Exposure Tracker
- X: The Shadowserver Foundation
- Authentication Bypasses in MOVEit Transfer and MOVEit Gateway
