Progress MOVEit Transfer Multiple Versions SQL Injection

Created:2023/07/04 | Revised:2023/07/04

SYXSCORE

Severity:A level of a security risk associated with a vulnerability exploitation
CRITICAL
CVSS:Indication of a severity level of each CVE
9.8
Countermeasure:Availability of measures to reduce a probability of an attack or an impact of a threat
No
Public Aware:Availability of a public announcement of a vulnerability
Yes
Weaponized:Vulnerability being abused by exploit or malware
No

Overview

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), an SQL injection vulnerability has been detected.

Description

The SQL Injection vulnerability allows malicious hackers to inject arbitrary code in SQL queries. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.

This issue has been exploited in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the ones indicated in the overview are affected, including older unsupported versions.

Impact

An attacker may be able to gain access to the MOVEit Transfer's database structure and contents, and even execute SQL statements to modify or delete data.

Solution

All MOVEit Transfer customers must apply the patch to address this vulnerability. Follow the link to CVE-2023-34362 (May 31, 2023) - Progress Community to download the appropriate fixed version.

The official vendor's advisory also includes the following mitigation steps:

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:

  • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
  • It is important to note that until HTTP and HTTPS traffic is enabled again:
  • Users will not be able to log on to the MOVEit Transfer web UI
  • MOVEit Automation tasks that use the native MOVEit Transfer host will not work
  • REST, Java and .NET APIs will not work
  • MOVEit Transfer add-in for Outlook will not work
  • SFTP and FTP/s protocols will continue to work as normal

2. Delete Unauthorized Files and User Accounts, and reset credentials for service accounts.

3. Verify that unauthorized files and accounts have been removed.

4. Reenable all HTTP and HTTPs traffic to your MOVEit Transfer environment.

5. Perform continuous monitoring of the network, endpoints, and logs for Indicators of Compromise (IoC) provided in the official advisory.


©2024 by Syxsense Inc. All Rights Reserved

Contact Us
Patch Management
Vulnerability Scanner