The MOVEit Transfer Zero-Day Vulnerabilities: What You Need to Know
2023-6-21 04:39:30 Author: www.uptycs.com(查看原文) 阅读量:36 收藏

The United States Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. federal agencies to patch systems by June 23 against a security flaw in the Progress MOVEit Transfer managed file transfer (MFT) solution currently being exploited.

The advisory comes on the heels of a third critical vulnerability identified by Progress Software in less than a month. The latest CVE-2023-35708 vulnerability is a SQL injection breach that might permit an unauthenticated user to escalate privileges and access the database. All the MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) are vulnerable.

A SQL injection vulnerability is a security flaw that allows unauthorized individuals to manipulate a website or application's database. This vulnerability occurs when user input is not properly validated or sanitized, allowing an attacker to insert malicious SQL code into input fields. 

MOVEit Active Exploits

A ransomware group known as Cl0P (or CLOP) recently used the vulnerabilities in the software to attack hundreds of organizations, including universities, banks, and major multinational corporations. 

Multiple federal agencies, including two Department of Energy entities, reported last week they had been victimized by the attack, along with state government agencies. 

CL0P claimed on its dark website to have “information on hundreds of companies” as part of its attack. The group also said that if the victim organization was “a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

Uptycs Analysis of MOVEit Vulnerability CVE-2023-34362

The attack involves deploying a web shell named human2.aspx in the server's directory. The web shell uses moveitisapi.dll to perform SQL injection and guestaccess.aspx to extract session information. Exploiting the vulnerability can lead to immediate deployment of ransomware or other malicious actions, with the ability to disable antivirus and execute arbitrary code.

human2.aspx web shell establishes a database connection using credentials provided in the SystemSettings.DatabaseSettings() method. It checks for a specific header value (X-siLock-Comment) and compares it with a hardcoded value. If the values don't match, it returns a 404 response, indicating access is denied. If the header value matches, it continues executing and sets additional headers. Depending on the value of instid (a request header), it performs different operations:

  • If instid equals -1, it executes several database queries to retrieve data related to files, folders, and institutions. The resulting data is then formatted and written to the response, which is compressed using gzip before being sent.
  • If instid equals -2, it executes a database query to delete a user from the users' table based on a specific condition.
  • For any other value of instid, it handles file retrieval and download. It decrypts a file specified by file id from a specified folder, compresses it using gzip, and sends it as a downloadable response.

It's important to note that this web shell code snippet is likely part of a larger attack or exploitation scenario. The presence of such a web shell on a server indicates a significant security breach and should be addressed immediately to prevent further unauthorized access and potential harm.

Note: It’s not necessary for the name to be “human2.aspx”

OS: Windows

Vulnerable Versions: MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) 

CVSSv3 Score: 9.8

MOVEit Transfer Advisory

Uptycs Query to Retrieve Vulnerable Hosts/Images:

MOVEit vulnerability, CLOP, Cl0p, ransomware

MOVEit vulnerability, CLOP, Cl0p, ransomware

Query to determine the vulnerable software

Uptycs Analysis of CVE-2023-35036

A security issue known as SQL Injection is currently ongoing in older versions of MOVEit Transfer. The vulnerability is tracked as CVE-2023-35036. The affected versions are released before 2020.1.9 (12.1.9), 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2) and versions 2020.0.x (12.0) and older. This vulnerability allows an unauthorized attacker who doesn't have proper authentication to gain access to the MOVEit Transfer database without permission. 

By sending a specially crafted malicious payload to certain parts of the MOVEit Transfer web application, the attacker can manipulate and access the content stored in the MOVEit database. To address this issue, patches have been developed and are available for the supported versions.

There are two options to fix this vulnerability:

  1. DLL Drop-In: Download the patch from the advisory page and replace existing files with the files present in the patch.
  2. Upgrade to the latest version: Progress has also released the new version of MOVEit Transfer which addresses this vulnerability.

Note: Special patch is available for MOVEit Transfer 2020.1.x (12.1) and for MOVEit Transfer 2020.0.x (12.0) or older must upgrade to the supported version. 

OS: Windows

Vulnerable Versions: MOVEit Transfer versions released before 2020.1.9 (12.1.9), 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2) and versions 2020.0.x (12.0) and older.

CVSSv3 Score: 9.1

Advisory link: MOVEit Transfer Advisory

Uptycs Query to Retrieve Vulnerable Hosts/Images:

MOVEit vulnerability, CLOP, Cl0p, ransomware, Uptycs

MOVEit vulnerability, CLOP, Cl0p, ransomware, Uptycs Threat Research

Query to determine the vulnerable software

MOVEit vulnerability, CLOP, Cl0p, ransomware

Detection through vulnerability scan

Uptycs Analysis of CVE-2023-35708

On June 15, Progress Software disclosed a new SQL injection vulnerability in its MOVEit Transfer application, which could potentially result in unauthorized access and escalated privileges. 

The vulnerability is tracked as CVE-2023-35708. Progress Software advises customers to disable all HTTP and HTTPS traffic on ports 80 and 443 for MOVEit Transfer as mitigation. The affected versions are released before 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) and versions 2020.0.x (12.0) and older.

Progress has released a patch, so download it from the advisory page and apply it ASAP. The new version of the software is under development.

OS: Windows

Vulnerable Versions: MOVEit Transfer versions released before 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) and versions 2020.0.x (12.0) and older.

CVSSv3 Score: Not available yet

MOVEit Transfer Advisory

Query to determine vulnerable MOVEit software, CLOP, Cl0p

Query to determine the vulnerable software

MOVEit vulnerability detection, CLOP, Cl0p, ransomware detection

Detection through vulnerability scan


文章来源: https://www.uptycs.com/blog/the-moveit-transfer-zero-day-vulnerabilities-what-you-need-to-know
如有侵权请联系:admin#unsafe.sh