After hundreds of companies were attacked with a 0-day vulnerability in MOVEit Transfer, the developer of this file transfer management product, Progress Software, promised to regularly release patches to provide a “predictable, simple, and transparent bug fixing process.” The first such package included patches for three vulnerabilities, including a critical one.
MOVEit Vulnerabilities – The Post-Factum View
All this story started with a 0-day vulnerability (CVE-2023-34362) in MOVEit Transfer, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem. Researchers say that attacks with the exploitation of this vulnerability began as early as May 27, 2023.
Attackers used this vulnerability to deploy custom web shells on affected servers. This allowed them to list files stored on the server, download them, and steal account credentials and secrets. The latter included the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. To simplify, all the attacks with that vulnerability was in fact a sophisticated SQL injection. The sophistication here is thanks to the unusual way of accessing the database – actually, through the 0-day breach.
As a result, Microsoft analysts linked the massive attacks to the Cl0p ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). And soon the hackers began to make demands, extorting ransoms from the affected companies. At the moment, according to Emsisoft experts, the number of companies-victims exceeds 230: at least 20 schools in the US and dozens of universities around the world were affected. In total, the leaks affected information about 17-20 million people.
MOVEit MFT Vulnerabilities Receive a Fix
MOVEit programs will receive service packs from Progress Software, including MOVEit Transfer and MOVEit Automation. The first one alreadyt got a patch that fixes for a critical SQL injection. It also contains fixes for two other, less serious vulnerabilities.
The critical issue has been identified as CVE-2023-36934 by the Trend Micro Zero Day Initiative. The developers report that it can be used without authentication, allowing an attacker to gain unauthorized access to the MOVEit Transfer database.
There are currently no reports of active exploitation of this breach by hackers. The second vulnerability is also a SQL injection and received the identifier CVE-2023-36932. Hackers actively use this one once they managed to bypass the authentication. Both SQL injections affect multiple versions of MOVEit Transfer, including 12.1.10 and later, 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later.
The third issue addressed by patches this month was the CVE-2023-36933 vulnerability. This breach allows attackers to spontaneously terminate a program. Bug persists in MOVEit Transfer versions 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later. Company recommends its clients to install updates for their versions, corresponding to the table below.
| Vulnerable versions | Corrected version | Documentation | Release Notes |
|---|---|---|---|
| MOVEit Transfer 2023.0.x (15.0.x) | MOVEit Transfer 2023.0.4 (15.0.4) | MOVEit 2023 Upgrade | MOVEit Transfer 2023.0.4 |
| MOVEit Transfer 2022.1.x (14.1.x) | MOVEit Transfer 2022.1.8 (14.1.8) | MOVEit 2022 Upgrade | MOVEit Transfer 2022.1.8 |
| MOVEit Transfer 2022.0.x (14.0.x) | MOVEit Transfer 2022.0.7 (14.0.7) | MOVEit 2022 Upgrade | MOVEit Transfer 2022.0.7 |
| MOVEit Transfer 2021.1.x (13.1.x) | MOVEit Transfer 2021.1.7 (13.1.7) | MOVEit 2021 Upgrade | MOVEit Transfer 2021.1.7 |
| MOVEit Transfer 2021.0.x (13.0.x) | MOVEit Transfer 2021.0.9 (13.0.9) | MOVEit 2021 Upgrade | MOVEit Transfer 2021.0.9 |
| MOVEit Transfer 2020.1.6+ (12.1.6) | Special Service Pack available | MOVEit Transfer 2020.1SP | MOVEit Transfer 2020.1.7 |
| MOVEit Transfer 2020.0.x+ (12.0.x) | Update to a supported version | Upgrade/Migration Guide | N/A |
