The United States Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. federal agencies to patch systems by June 23 against a security flaw in the Progress MOVEit Transfer managed file transfer (MFT) solution currently being exploited. The advisory comes on the heels of a third critical vulnerability identified by Progress Software in less than a month. The latest CVE-2023-35708 vulnerability is a SQL injection breach that might permit an unauthenticated user to escalate privileges and access the database. All the MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) are vulnerable. A SQL injection vulnerability is a security flaw that allows unauthorized individuals to manipulate a website or application's database. This vulnerability occurs when user input is not properly validated or sanitized, allowing an attacker to insert malicious SQL code into input fields. A ransomware group known as Cl0P (or CLOP) recently used the vulnerabilities in the software to attack hundreds of organizations, including universities, banks, and major multinational corporations. Multiple federal agencies, including two Department of Energy entities, reported last week they had been victimized by the attack, along with state government agencies. CL0P claimed on its dark website to have “information on hundreds of companies” as part of its attack. The group also said that if the victim organization was “a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.” The attack involves deploying a web shell named human2.aspx in the server's directory. The web shell uses moveitisapi.dll to perform SQL injection and guestaccess.aspx to extract session information. Exploiting the vulnerability can lead to immediate deployment of ransomware or other malicious actions, with the ability to disable antivirus and execute arbitrary code. human2.aspx web shell establishes a database connection using credentials provided in the SystemSettings.DatabaseSettings() method. It checks for a specific header value (X-siLock-Comment) and compares it with a hardcoded value. If the values don't match, it returns a 404 response, indicating access is denied. If the header value matches, it continues executing and sets additional headers. Depending on the value of instid (a request header), it performs different operations: It's important to note that this web shell code snippet is likely part of a larger attack or exploitation scenario. The presence of such a web shell on a server indicates a significant security breach and should be addressed immediately to prevent further unauthorized access and potential harm. Note: It’s not necessary for the name to be “human2.aspx” OS: Windows Vulnerable Versions: MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) Query to determine the vulnerable software A security issue known as SQL Injection is currently ongoing in older versions of MOVEit Transfer. The vulnerability is tracked as CVE-2023-35036. The affected versions are released before 2020.1.9 (12.1.9), 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2) and versions 2020.0.x (12.0) and older. This vulnerability allows an unauthorized attacker who doesn't have proper authentication to gain access to the MOVEit Transfer database without permission. By sending a specially crafted malicious payload to certain parts of the MOVEit Transfer web application, the attacker can manipulate and access the content stored in the MOVEit database. To address this issue, patches have been developed and are available for the supported versions. There are two options to fix this vulnerability: Note: Special patch is available for MOVEit Transfer 2020.1.x (12.1) and for MOVEit Transfer 2020.0.x (12.0) or older must upgrade to the supported version. OS: Windows Vulnerable Versions: MOVEit Transfer versions released before 2020.1.9 (12.1.9), 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2) and versions 2020.0.x (12.0) and older. CVSSv3 Score: 9.1 Advisory link: MOVEit Transfer Advisory Query to determine the vulnerable software Detection through vulnerability scan On June 15, Progress Software disclosed a new SQL injection vulnerability in its MOVEit Transfer application, which could potentially result in unauthorized access and escalated privileges. The vulnerability is tracked as CVE-2023-35708. Progress Software advises customers to disable all HTTP and HTTPS traffic on ports 80 and 443 for MOVEit Transfer as mitigation. The affected versions are released before 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) and versions 2020.0.x (12.0) and older. Progress has released a patch, so download it from the advisory page and apply it ASAP. The new version of the software is under development. OS: Windows Vulnerable Versions: MOVEit Transfer versions released before 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) and versions 2020.0.x (12.0) and older. CVSSv3 Score: Not available yet Query to determine the vulnerable software Detection through vulnerability scanMOVEit Active Exploits
Uptycs Analysis of MOVEit Vulnerability CVE-2023-34362
Uptycs Query to Retrieve Vulnerable Hosts/Images:
Uptycs Analysis of CVE-2023-35036
Uptycs Query to Retrieve Vulnerable Hosts/Images:
Uptycs Analysis of CVE-2023-35708
The MOVEit Transfer Zero-Day Vulnerabilities: What You Need to Know
2023-6-21 04:39:30 Author: www.uptycs.com(查看原文) 阅读量:36 收藏
2023-6-21 04:39:30 Author: www.uptycs.com(查看原文) 阅读量:36 收藏
文章来源: https://www.uptycs.com/blog/the-moveit-transfer-zero-day-vulnerabilities-what-you-need-to-know
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh