+1 866 537 8234 | +91 265 6133021

Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Blog Home  »  Security Bulletin   »   Indusface Threat Coverage: MOVEit Transfer SQL Injection Vulnerabilities

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

Indusface Threat Coverage: MOVEit Transfer SQL Injection Vulnerabilities

Posted DateJune 20, 2023
Author Bio
Posted Time 3   min Read

Progress has recently raised concerns about multiple vulnerabilities in their MOVEit Transfer secure managed file transfer solution. These vulnerabilities have been publicly disclosed within the past several weeks, and the most recent one was reported on June 15, 2023.  

Notably, the latest vulnerability is claimed to be a zero-day SQL injection vulnerability. If exploited by an attacker, these vulnerabilities can lead to unauthorized access to the MOVEit Transfer database. 

Multiple Vulnerabilities on MOVEit Transfer 

As of now, three vulnerabilities have been disclosed and brought to attention. These vulnerabilities are as follows: 

  • CVE-2023-34362 (May 31, 2023) 
  • CVE-2023-35036 (June 9, 2023) 
  • CVE-2023-35708 (June 15, 2023) 

CVE-2023-34362 (0-day) 

In late May 2023, Progress disclosed a critical vulnerability (CVE-2023-34362) found in the MOVEit Transfer web application. This vulnerability, classified as an SQL Injection flaw, poses a significant risk as it could enable unauthorized access to the database of MOVEit Transfer. 

Attackers associated with the Clop ransomware operation have been exploiting the CVE-2023-34362 vulnerability as a zero-day before it was patched. The public proof-of-concept code for this exploit indicates that other malicious actors are highly likely to target vulnerable systems that have not yet been patched. 

Severity: Critical  

CVSSv3.1: Base Score: 9.8 CRITICAL   

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

CVSSv2: Base Score: 9.3 HIGH   

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)  

Versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) are susceptible to the identified vulnerability. The vulnerability (CVE-2023-34362) was successfully addressed and patched on May 31. 

CVE-2023-35036 

On June 9, 2023, Progress discovered another SQL injection vulnerability in the MOVEit Transfer web application. CVE-2023-35036 has been assigned to this vulnerability. This vulnerability affects all MOVEit Transfer versions, wherein an attacker can submit a crafted payload to an application endpoint. Exploiting this vulnerability could lead to unauthorized modification and disclosure of MOVEit database content. 

To address these vulnerabilities, Progress Software has acted promptly and released patches for the following versions: 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). 

Severity: Critical  

CVSSv3.1: Base Score: 10.0 CRITICAL   

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSSv2: Base Score: 9.1 HIGH   

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)  

Exploit available in public: No  

Exploit complexity: Low  

CVE-2023-35708 

CVE-2023-35708, identified on June 15, 2023, denotes the third vulnerability in MOVEit Transfer within three weeks. This vulnerability has the potential to result in elevated privileges and unauthorized access to the environment, emphasizing the need for MOVEit Transfer customers to take prompt action as outlined below to safeguard their MOVEit Transfer environment. 

Virtually patch SQLi Vulnerabilities on AppTrana WAF

Prevention and Mitigation against Exploitation 

It is recommended to apply the vendor’s patches whenever available and feasible promptly. Progress has released updated patches for at least two vulnerabilities and is providing further updates regarding the recently disclosed vulnerability. 

The following is the summary of mitigations recommended by Progress Software:  

  • Restrict any HTTP and HTTPS traffic to the MOVEit Transfer environment. This can be accomplished by modifying firewall rules to block incoming traffic on ports 80 and 443 specifically for MOVEit Transfer. 
  • Conduct a thorough review and remove any unauthorized files and user accounts. Ensure only authorized and necessary files and user accounts are in the system. 
  • Reset the credentials for service accounts. This includes changing the passwords or access keys associated with service accounts to prevent unauthorized access and ensure that only authorized individuals can access these accounts. 
  • For all supported versions of MOVEit Transfer, it is crucial to apply the available patches. 

AppTrana WAAP Preventive Rules and Filters 

Apart from the patches provided by the vendor, AppTrana offers additional protection patterns that can serve as an extra layer of defence against potential exploits.  

To ensure the security of our customers, Indusface managed security team developed the rules to generate MOVEit-related alerts and block the attempt to exploit.  Our team constantly monitors any exploitation related to these CVEs through the security rules listed below.  

AppTrana users can also check their security controls using the following rules with  Web Application Firewall. 

Rule ID Name
99839 MOVEit Transfer Vulnerability Detected – 1
99840 MOVEit Transfer Vulnerability Detected – 2
99841 MOVEit Transfer Vulnerability Detected – 3
99842 MOVEit Transfer Vulnerability Detected – 4
99843 MOVEit Transfer Vulnerability Detected – 5
99846 MOVEit Transfer Vulnerability Detected – 6

AppTrana customers are protected from this threat through web application firewall SQL Injection protection. 

For more detail about vendor patches and mitigation, visit: 

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

Mayank Kumar - Security Researcher R&D
Mayank Kumar

Mayank Kumar is a skilled Security Researcher at Indusface. With an expertise in developing detection logic and signatures for an array of security vulnerabilities, including 0-day vulnerabilities, he stands at the forefront of safeguarding digital landscapes. Fueling his passion for cyber defense, Mayank actively pursues learning new security concepts and eagerly takes on the challenge of solving vulnerable machines on platforms like TryHackMe and HackTheBox.

Share Article:

Tags:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

NoSQL Injection Attack
What is NoSQL Injection Attack and How to Prevent It?

Not only can the NoSQL databases be breached by attackers, but malicious code/ unvalidated inputs can be executed in the application itself. Learn how to prevent it.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!