Attackers are already trying to exploit a critical authentication bypass vulnerability in Progress MOVEit Transfer, although less than a day has passed since the vulnerability was disclosed.
As a reminder, MOVEit Transfer is a file transfer management solution that is widely used in enterprise environments to securely transfer files between business partners and clients using SFTP, SCP and HTTP protocols.
Advertisement
Last year, thousands of organizations suffered from numerous bugs in MOVEit Transfer, including such giants as Sony, IBM, Siemens Energy, Schneider Electric, British Airways, as well as hundreds of educational institutions and about 85 million people.
This week a new problem was discovered in MOVEit Transfer (CVE-2024-5806CVSS score of 9.1), which allows attackers to bypass the authentication process in the Secure File Transfer Protocol (SFTP) module, which is responsible for file transfer operations over SSH.
As a result, an attacker can gain access to confidential data stored on the MOVEit Transfer server, and can also upload, download, delete or modify files, intercept or interfere with the file transfer process.
Almost immediately after the disclosure of information about the problem, Shadowserver Foundation specialists warned about attempts to exploit CVE-2024-5806. And according to analysts Censysthere are currently approximately 2,700 vulnerable instances of MOVEit Transfer available on the Internet, most of which are located in the US, UK, Germany, Canada and the Netherlands.
Advertisement
The ShadowServer Foundation's warning came shortly after watchTowr disclosed technical details vulnerability, and also talked about how to exploit it and what exactly defenders should look for in the logs to detect signs of an attack.
watchTowr experts conducted technical analysis of how attackers can manipulate SSH public key paths to force a server to authenticate through attacker-controlled paths, which could ultimately lead to the disclosure of Net-NTLMv2 hashes.
Even worse, a PoC exploit for CVE-2024-5806 is already freely available and published by watchTowr.
According to information developers Progress SoftwaresCVE-2024-5806 affects the following versions of MOVEit Transfer:
• 2023.0.0 to 2023.0.11;
• 2023.1.0 to 2023.1.6;
• 2024.0.0 to 2024.0.2.
Patches included in MOVEit Transfer 2023.0.11, 2023.1.6 And 2024.0.2which are already available on the Progress Community portal.
Progress Software emphasized that in addition, another problem was discovered in a third-party component used in MOVEit Transfer, which increases the risks associated with the exploitation of CVE-2024-5806.
To fix this defect (until a third party vendor releases a patch), it is recommended that administrators block access to MOVEit Transfer servers via RDP and limit outgoing connections to known and trusted endpoints only.
Additionally, Progress Software has released a security bulletin regarding a similar authentication bypass issue. CVE-2024-5805which affects MOVEit Gateway 2024.0.0.