MoveIt Transfer vulnerability targeted amid disclosure drama
Progress Software's MoveIt Transfer is under attack again, just one year after a Clop ransomware actor exploited a different zero-day MoveIt flaw against thousands of customers.
Another vulnerability in Progress Software's MoveIt Transfer product is under attack amid an apparent leak of flaw.
In security alerts published on Tuesday, Progress detailed two critical improper authentication vulnerabilities, one tracked as CVE-2024-5806 affecting its MoveI Transfer Product and another assigned CVE-2024-5805 in its MoveItGateway product. Reports of exploitation attempts against CVE-2024-5806 are mounting and it's crucial to patch based on past attacks. Last year, the Clop ransomware group claimed thousands of MoveIt Transfer customers by exploiting a different zero-day vulnerability in the managed file transfer product.
The Shadowserver Foundation, a non-profit cybersecurity organization, began observing exploitation attempts against CVE-2024-5806 on Tuesday. The organization emphasized that exploitation started promptly following public disclosure, a trend that's become increasingly concerning for the infosec industry.
"Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet - please do so now," The Shadowserver Foundation wrote on X, formerly Twitter.
Progress released fixes for both flaws on June 11 and urged users to upgrade to the latest MoveIt versions. However, there is a caveat that may deter timely patching. "Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running," Progress Software wrote in both security alerts.
Regarding CVE-2024-5806, the security vendor also warned users that there's a new vulnerability in an unnamed third-party component used in MoveIt Transfer that "elevates the risks of the original issue mentioned above if left unpatched." Progress Software also noted that its patch does not remediate the third-party risk.
Progress clarified the disclosure timeline in a statement to TechTarget Editorial on Tuesday.
"We internally confirmed a vulnerability in MOVEit Transfer, notified customers and provided a patch on June 11, 2024. Currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct operational impact to customers. To be clear, these vulnerabilities are not related to the zero-day MOVEit Transfer vulnerability we reported in May 2023."
Progress said it still has not received reports of exploitation as of Wednesday.
Vulnerability disclosure drama
Just prior to Progress Software's public disclosure of CVE-2024-5806 on Tuesday, cybersecurity vendor WatchTowr Labs revealed in a blog post that an anonymous source, who goes by the handle dav1d_b141ne, had previously published details about the vulnerability in an internet relay chat. According to a chat transcript sent to WatchTowr, dav1d_b141ne said that Progress Software was contacting customers regarding an improper authentication bypass vulnerability in its MoveIt Transfer product. The source stressed that advanced persistent threat groups and ransomware gangs might already be aware of the critical flaw.
The source also emphasized how Progress said the vulnerability can lead to authentication bypass only in "limited scenarios." Dav1d_b141ne provided WatchTowr with patched and unpatched instances of MoveIt Transfer.
While testing the vulnerability, WatchTowr researchers concluded that the issue involves two separate vulnerabilities: one in Progress MoveIt and one in a third-party library for IPWorks SSH server. WatchTowr described IPWorks as a "moderately popular commercial product, averaging 33 downloads a day." The library is used as part of MoveIt's authentication process. WatchTowr stressed that the vulnerability resulted from the interplay between MoveIt and IPWorks SSH, specifically a failure to handle an error condition.
WatchTowr researchers stressed that this type of vulnerability is not easily discoverable, and it remains unclear how Progress Software and dav1d_b141ne discovered it. WatchTowr applauded Progress Software on the condition that it found the vulnerability during a routine code review and analyzed the root cause.
"If this is indeed the case, we take our hats off to Progress for taking the issue as seriously as it deserves, and not attempting to sweep it under the rug, as we've seen other vendors do," WatchTowr wrote in blog. "On the other hand, we are somewhat troubled (could you guess) by the advisory's use of the term 'limited scenarios,' as we can't yet determine scenarios that could prevent trivial exploitation."
However, Progress Software has since removed 'limited scenarios' language from the advisory. The vendor did not respond to a request for comment regarding the language removal.
WatchTowr also applauded Progress Software's private disclosure process with customers that may have been ongoing for weeks or months. "We do not expect anyone to still be vulnerable due to the embargo, and the efforts taken proactively by Progress to ensure customers deployed patches," the blog said.
Ryan Emmons, lead security researcher at Rapid7, also addressed the vulnerabilities in an blog post published on Tuesday and warned exploitation could lead to an authentication bypass. While testing a vulnerable MoveIt Transfer instance, Emmons said Rapid7 researchers discovered three concerning risks.
"As of June 25, the known criteria for exploitation are threefold: that attackers have knowledge of an existing username, that the target account can authenticate remotely, and that the SFTP [Secure Managed File Transfer Product] service is exposed," Emmons wrote in the blog.
Emmons also warned that attackers might spray usernames to identify valid accounts and urged customers to install patches "on an emergency basis." He conducted a Shodan search that indicated there are around 1,000 public-facing MoveIt Transfer products and 70-public facing MoveIt Gateway instances. However, it's unclear how many remain vulnerable.
Emmons told TechTarget Editorial that it's essential for organizations to mitigate CVE-2024-5806 quickly since attacks put sensitive data at risk. "Based on our analysis, exploiting CVE-2024-5806 permits an attacker to bypass the usual account login process and directly gain unauthorized access to files on the sever," Emmons said.
Cailtin Condon, director of vulnerability research and intelligence at Rapid7, told TechTarget Editorial that the security vendor had not received reports of exploitation as of Wednesday.
"We have not seen exploitation directly, but third parties have reported attempts against cloud honeypots. We do not consider this totally confirmed exploitation, and this information is already in the blog. We will proactively let you know if MDR [managed detection and response] or [incident response] sees any exploitation that they can verify with high confidence."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.