Indusface Threat Coverage: MOVEit Transfer SQL Injection Vulnerabilities

Progress has recently raised concerns about multiple vulnerabilities in their MOVEit Transfer secure managed file transfer solution. These vulnerabilities have been publicly disclosed within the past several weeks, and the most recent one was reported on June 15, 2023.  

Notably, the latest vulnerability is claimed to be a zero-day SQL injection vulnerability. If exploited by an attacker, these vulnerabilities can lead to unauthorized access to the MOVEit Transfer database. 

Multiple Vulnerabilities on MOVEit Transfer

As of now, three vulnerabilities have been disclosed and brought to attention. These vulnerabilities are as follows: 

• CVE-2023-34362 (May 31, 2023)
• CVE-2023-35036 (June 9, 2023)
• CVE-2023-35708 (June 15, 2023)

CVE-2023-34362 (0-day)

In late May 2023, Progress disclosed a critical vulnerability (CVE-2023-34362) found in the MOVEit Transfer web application. This vulnerability, classified as an SQL Injection flaw, poses a significant risk as it could enable unauthorized access to the database of MOVEit Transfer. 

Attackers associated with the Clop ransomware operation have been exploiting the CVE-2023-34362 vulnerability as a zero-day before it was patched. The public proof-of-concept code for this exploit indicates that other malicious actors are highly likely to target vulnerable systems that have not yet been patched. 

Severity: Critical  

CVSSv3.1: Base Score: 9.8 CRITICAL   

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  

CVSSv2: Base Score: 9.3 HIGH   

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)  

Versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) are susceptible to the identified vulnerability. The vulnerability (CVE-2023-34362) was successfully addressed and patched on May 31. 

CVE-2023-35036

On June 9, 2023, Progress discovered another SQL injection vulnerability in the MOVEit Transfer web application. CVE-2023-35036 has been assigned to this vulnerability. This vulnerability affects all MOVEit Transfer versions, wherein an attacker can submit a crafted payload to an application endpoint. Exploiting this vulnerability could lead to unauthorized modification and disclosure of MOVEit database content. 

To address these vulnerabilities, Progress Software has acted promptly and released patches for the following versions: 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). 

Severity: Critical  

CVSSv3.1: Base Score: 10.0 CRITICAL   

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSSv2: Base Score: 9.1 HIGH   

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)  

Exploit available in public: No  

Exploit complexity: Low  

CVE-2023-35708

CVE-2023-35708, identified on June 15, 2023, denotes the third vulnerability in MOVEit Transfer within three weeks. This vulnerability has the potential to result in elevated privileges and unauthorized access to the environment, emphasizing the need for MOVEit Transfer customers to take prompt action as outlined below to safeguard their MOVEit Transfer environment. 

Prevention and Mitigation against Exploitation

It is recommended to apply the vendor’s patches whenever available and feasible promptly. Progress has released updated patches for at least two vulnerabilities and is providing further updates regarding the recently disclosed vulnerability. 

The following is the summary of mitigations recommended by Progress Software:  

• Restrict any HTTP and HTTPS traffic to the MOVEit Transfer environment. This can be accomplished by modifying firewall rules to block incoming traffic on ports 80 and 443 specifically for MOVEit Transfer.
• Conduct a thorough review and remove any unauthorized files and user accounts. Ensure only authorized and necessary files and user accounts are in the system.
• Reset the credentials for service accounts. This includes changing the passwords or access keys associated with service accounts to prevent unauthorized access and ensure that only authorized individuals can access these accounts.
• For all supported versions of MOVEit Transfer, it is crucial to apply the available patches.

AppTrana WAAP Preventive Rules and Filters

Apart from the patches provided by the vendor, AppTrana offers additional protection patterns that can serve as an extra layer of defence against potential exploits.  

To ensure the security of our customers, Indusface managed security team developed the rules to generate MOVEit-related alerts and block the attempt to exploit.  Our team constantly monitors any exploitation related to these CVEs through the security rules listed below.  

AppTrana users can also check their security controls using the following rules with  Web Application Firewall. 

Rule ID	Name
99839	MOVEit Transfer Vulnerability Detected – 1
99840	MOVEit Transfer Vulnerability Detected – 2
99841	MOVEit Transfer Vulnerability Detected – 3
99842	MOVEit Transfer Vulnerability Detected – 4
99843	MOVEit Transfer Vulnerability Detected – 5
99846	MOVEit Transfer Vulnerability Detected – 6

AppTrana customers are protected from this threat through web application firewall SQL Injection protection. 

For more detail about vendor patches and mitigation, visit: 

• https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
• https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023
• https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.