Critical MOVEit Transfer Flaw (CVE-2024-5806)

Critical MOVEit Transfer Flaw (CVE-2024-5806)

Summary

Threat actors are swiftly attempting to exploit a new and critical authentication bypass vulnerability in Progress MOVEit Transfer.  MOVEit Transfer is a managed enterprise file transfer (MFT) solution used for secure file transfers between business partners and customers via SFTP, SCP, and HTTP protocols. The newly identified security flaw (CVE-2024-5806) enables attackers to bypass authentication in the SFTP module, which handles file transfers over SSH.

 

Threat intelligence

Exploits actively observed

 

Technical Details

CVE-2024-5806 with a CVSS score of 9.1 (Critical) involves an authentication bypass affecting several versions of Progress MOVEit Transfer. Specifically versions 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. According to an advisory released on Tuesday, “an improper authentication vulnerability in the MOVEit Transfer SFTP module can lead to authentication bypass”.

 

Shortly after disclosure of the bulletin on CVE-2024-5806, Shadowserver Foundation reported observing attempts to exploit the vulnerability, indicating that hackers are already targeting exposed endpoints. Censys network scans revealed that approximately 2,700 MOVEit Transfer instances were accessible on the internet, predominantly located in the US, UK, Germany, Canada, and the Netherlands. The exact proportion of these instances that have not yet applied the necessary security updates or mitigations remains unknown.

 

Internet-exposed MOVEit Transfer instances

Source: Censys

 

The exploitation attempts reported by ShadowServer followed the publication of technical details by the offensive security company watchTowr. They provided a comprehensive analysis of the vulnerability, including exploitation methods and indicators of compromise that defenders should monitor in their logs. watchTowr also explained how attackers could manipulate SSH public key paths to force the server to authenticate using attacker-controlled paths, potentially exposing Net-NTLMv2 hashes. Additionally, proof-of-concept exploit code for CVE-2024-5806 is now publicly available from watchTowr and security researcher Sina Kheirkhah. Given the availability of this information, it is crucial for organizations to promptly apply the related security updates and mitigations, as attack attempts are expected to increase.

 

Progress issued fixes in MOVEit Transfer versions 2023.0.11, 2023.1.6, and 2024.0.2, available on the Progress Community portal. Customers without an active maintenance agreement should contact the Renewals team or their Progress partner representative to resolve the issue. MOVEit Cloud customers are not required to take any action, as patches have already been automatically deployed.

 

Progress also released a security bulletin regarding a similar authentication bypass issue, CVE-2024-5805, affecting MOVEit Gateway 2024.0.0. MOVEit is extensively used in enterprise environments, making it a prime target for hackers. This is especially concerning given that the Clop ransomware group exploited a zero-day vulnerability last year to breach and extort thousands of organizations using MOVEit Transfer.

 

Recommendations

• Immediately update MOVEit Transfer to the latest versions (2023.0.11, 2023.1.6, or 2024.0.2) as provided on the Progress Community portal.
• If you do not have a current maintenance agreement, contact the Renewals team or your Progress partner representative to obtain the necessary updates.
• Use the technical details provided by watchTowr to identify indicators of compromise and monitor logs for signs of exploitation attempts.
• Block Remote Desktop Protocol (RDP) access to MOVEit Transfer servers and restrict outbound connections to known and trusted endpoints to mitigate related risks from the third-party component vulnerability.
• Regularly check for updates and advisories from Progress and other security sources to stay informed about any new vulnerabilities or recommended actions.
• MOVEit Cloud Customers – No action is required, as patches are automatically deployed.

 

References

• https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
• https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805
• https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
• https://www.bleepingcomputer.com/news/security/hackers-target-new-moveit-transfer-critical-auth-bypass-bug/
• https://thehackernews.com/2024/06/new-moveit-transfer-vulnerability-under.html