Batten down the hatches, it's time to patch some more MOVEit bugs
Exploit attempts for ‘devastating’ vulnerabilities already underway
Thought last year's MOVEit hellscape was well and truly behind you? Unlucky, buster. We're back for round two after Progress Software lifted the lid on fresh vulnerabilities affecting MOVEit Transfer and Gateway.
Progress Software initially contacted users on June 13 about CVE-2024-5805 and CVE-2024-5806, both of which it classifies as authentication bypass-style vulnerabilities, each carrying a critical 9.1 severity score.
The information was under embargo until June 25 to allow adequate time for patching, which was probably a good call given that 2,773 organizations were breached by Cl0p in last year's MOVEit-related disaster, per Emsisoft's tracker.
MOVEit Transfer was at the center of last year's breaches. It's a popular managed file transfer (MFT) product used by orgs to transfer files around the company. MOVEit Gateway is a proxy service that works to make Transfer deployments safer. It allows orgs to place Gateway servers inside their demilitarized zone, allowing for Transfer to operate on the local area network only, away from the public internet.
In typical fashion, researchers at watchTowr have penned a comprehensive account of CVE-2024-5806 – the one affecting MOVEit Transfer – and the two damaging attacks it can facilitate. It's all underpinned by the interoperation between MOVEit, its IPWorks SSH library, and the way MOVEit handles errors.
First up is what watchTowr is calling a forced authentication attack – the less severe of the two flaws, which allows remote attackers to brute force the Net-NTLMv2 hash required to authenticate as a target user account.
MOVEit's hardening and privilege separation would likely hinder real-world applications of this, watchTowr said, and organizations serious about security would prohibit remote logins to highly privileged accounts.
It believes this is technically a vulnerability affecting MOVEit, but also one that may affect other applications that use the IPWorks SSH server.
"We attempted to verify this by building the IPWorks SSH samples, and found that they do, indeed, allow us to cause a forced SMB authentication, permitting us to use Responder to crack the resultant hashes," watchTowr said. "For reference, the version of the IPWorks Nuget package we tested was 24.0.8917.
"This is of particular significance since other applications may not use the strong privilege separation, such as service accounts, that MOVEit entails, and may instead immediately expose administrator credentials allowing a full system compromise."
El Reg contacted /n software, which develops IPWorks SSH. Gent Hito, President and CEO, told us:
"We have already fixed the issue and are working on notifying and advising affected customers about the impact. The scope of the vulnerability is dependent on how developers use the component and we expect it to be limited."
He added: "It's worth noting that the security researchers notified us just hours before release on Monday, while they had known and worked on this for weeks – which is regrettable."
Despite not being deemed as severe by the researchers, both vulnerabilities carry the same critical severity score.
Furthermore, the knowledge gleaned from proving the workings of this attack was used to carry out the second, more "devastating" one, which allows attackers to assume the identity of any SFTP user, allowing them to read, write, and delete files – all wrapped up in a file-less attack.
It's described as an exploit that only works in limited scenarios, but watchTowr said all the information required to pull it off is a valid username to the SFTP subsystem.
The report reads: "It is easy to imagine an attacker would use a list of usernames, perhaps from an email list, attempting the exploit with each in turn until one works."
- White House report dishes deets on all 11 major government breaches from 2023
- One year on, universities org admits MOVEit attack hit data of 800K people
- OpenAI to pull plug on 'unsupported' nations – cough, China – from July 9
- Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws
Responding to this excerpt, security analyst Michael Taggart said: "From an assume-breach perspective, this is barely a speedbump."
"Although this is a low bar for attackers to overcome, it will help limit the progress of automated attacks," watchTowr added.
"In addition to requiring a valid username, the specified username must pass any IP-based restrictions, and so, locking down users to whitelisted IP addresses may provide a reduction in risk."
If attackers start trying to exploit these vulnerabilities now that watchTowr has released the blueprint on how to do it, any attempt is likely to generate a noticeable uptick in system log activity, so it'll be on the noisier side, making it that little bit easier to detect.
CVE-2024-5806 affects versions:
-
From 2023.0.0 before 2023.0.11
-
From 2023.1.0 before 2023.1.6
-
From 2024.0.0 before 2024.0.2
To the surprise of probably no one, within just a few hours of watchTowr's writeup going live, attack attempts using CVE-2024-5806 began, according to Shadowserver's telemetry.
Echoing the words of every corner of the security industry after learning of the possible attacks to be hitting MOVEit in the coming days, Shadowserver said: " If you run MOVEit and have not patched yet - please do so now."
MOVEit Gateway bug
The vulnerability affecting MOVEit Gateway, CVE-2024-5805, has gone much more under the radar, which is perhaps to be expected given the hard time MOVEit Transfer gave organizations last year.
The authentication bypass bug in MOVEit Gateway is just as severe, according to Progress Software's severity assessment. However, it's likely to affect far fewer users for a number of reasons.
For starters, it only affects version 2024.0.0, meaning the attack surface is vastly reduced compared to that of CVE-2024-5806. It's also only an optional add-on for MOVEit Transfer users, further limiting the number of vulnerable instances.
As for how many MOVEit customers are currently exposed, different vendors' telemetry will always vary. Shadowserver's data suggests less than 2,000 are exposed to the internet while Censys puts that figure more in the 2,7000 region. Both agree that most are localized to North America, however.
Despite the lower number of MOVEit Gateway users being exposed to an authentication bypass flaw, it's still advised that patches for both CVE-2024-5805 and CVE-2024-5806 are applied as soon as possible if they haven't been already. ®