Summary: This content discusses two new vulnerabilities in MOVEit Transfer and MOVEit Gateway, which can be exploited by threat actors to bypass SFTP authentication and gain unauthorized access.
Threat Actor: Unspecified | Unspecified
Victim: Progress Software | Progress Software
Key Point :
- Progress Software has disclosed two vulnerabilities in MOVEit Transfer and MOVEit Gateway, namely CVE-2024-5806 and CVE-2024-5805.
- These vulnerabilities allow attackers to bypass SFTP authentication and gain unauthorized access to MOVEit Transfer and Gateway.
Last updated at Tue, 25 Jun 2024 23:38:52 GMT
On June 25, 2024, Progress Software published information on two new vulnerabilities in MOVEit Transfer and MOVEit Gateway: CVE-2024-5806, a high-severity authentication bypass affecting the MOVEit Transfer SFTP service in a default configuration, and CVE-2024-5805, a critical SFTP-associated authentication bypass vulnerability affecting MOVEit Gateway. Attackers can exploit these improper authentication vulnerabilities to bypass SFTP authentication and gain access to MOVEit Transfer and Gateway.
CVE-2024-5806 is an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass. Rapid7 researchers tested a MOVEit Transfer 2023.0.1 instance, which appeared to be vulnerable in the default configuration. As of June 25, the known criteria for exploitation are threefold: that attackers have knowledge of an existing username, that the target account can authenticate remotely, and that the SFTP service is exposed. It’s possible that attackers may spray usernames to identify valid accounts. Rapid7 recommends installing the vendor-provided patches for CVE-2024-5806 on an emergency basis, without waiting for a regular patch cycle to occur.
According to Progress Software’s advisory, CVE-2024-5805 is a critical authentication bypass vulnerability that affects the SFTP feature of the MOVEit Gateway software in version 2024.0.0; earlier versions do not appear to be vulnerable, which likely limits available attack surface area. MOVEit Gateway is an optional component designed to proxy traffic to and from MOVEit Transfer instances. A patch is available for CVE-2024-5805 and should be applied on an emergency basis for organizations running MOVEit Gateway.
Progress MOVEit is an enterprise file transfer suite, which inherently makes it a highly desirable target for threat actors. Since enterprise file transfer software typically holds a large volume of confidential data, smash-and-grab attackers target these solutions to extort victims. In June 2023, an unauthenticated attack chain targeting MOVEit Transfer was widely exploited by the Cl0p ransomware group. Shodan queries indicate that there are approximately 1,000 public-facing MOVEit Transfer SFTP servers and approximately 70 public-facing MOVEit Gateway SFTP servers. (Note that not all of these may be vulnerable to these latest CVEs.)
Notably, Rapid7 observed that installers for the patched (latest) version of the MOVEit Transfer have been available on VirusTotal since at least June 11, 2024. Vulnerability details and proof-of-concept exploit code are publicly available for MOVEit Transfer CVE-2024-5806 as of June 25, 2024. Security nonprofit Shadowserver has reported exploit attempts against their honeypots as of the evening of June 25 (note that honeypot activity does not always correlate to threat activit in real-world production environments).
Mitigation guidance
MOVEit customers should apply vendor-provided updates for both vulnerabilities immediately.
The following versions of MOVEit Transfer are vulnerable to CVE-2024-5806:
The advisory notes that “Customers using the MOVEit Cloud environment were patched and are no longer vulnerable to this exploit.”
Only MOVEit Gateway 2024.0.0 is vulnerable to CVE-2024-5805, per the vendor advisory. The vulnerability is fixed in MOVEit Gateway 2024.0.1. The advisory indicates that “MOVEit Cloud does not use MOVEit Gateway, so no further action is needed by MOVEit Cloud customers.”
Rapid7 customers
InsightVM and Nexpose customers can assess their exposure to CVE-2024-5805 and CVE-2024-5806 with authenticated vulnerability checks available in today’s (June 25) content release.
Updates
June 25, 2024: Exploit attempts have been reported against honeypots. Rapid7 customer language updated to note general availability of InsightVM/Nexpose checks.
“An interesting youtube video that may be related to the article above”