Update. Progress Software has now tested and published a patch for the “irresponsibly disclosed” vulnerability (CVE-2023-35708) described below. Turn off web access to MOVEit Transfer until you’ve applied this latest patch. [2023-06-17-19:00:00Z]
Yet more MOVEit mayhem!
“Disable HTTP and HTTPS traffic to MOVEit Transfer,” said Progress Software, and the timeframe for doing so was “immediately”, no ifs, no buts.
Progress Software is the maker of file-sharing software MOVEit Transfer, and the hosted MOVEit Cloud alternative that’s based on it, and this is its third warning in three weeks about hackable vulnerabilities in its product.
At the end of May 2023, cyberextortion criminals associated with the Clop ransomware gang were found to be using a zero-day exploit to break into servers running the MOVEit product’s web front-end.
By sending deliberately malformed SQL database commands to a MOVEit Transfer server via its web portal, the criminals could access database tables without needing a password, and implant malware that allowed them to return to compromised servers later on, even if they’d been patched in the meantime.
The attackers have apparently been stealing trophy company data, such as employee payroll details, and demanding blackmail payments in return for “deleting” the stolen data.
We explained, back at the start of June 2023, how to patch against this bug (CVE-2023-34362), and what you could look for in case the crooks had already paid you a visit:
Second warning
That warning was followed, last week, by an update from Progress Software.
While investigating the zero-day hole that they’d just patched, Progress developers uncovered similar programming flaws elsewhere in the code (CVE-2023-35036).
The company therefore published a further patch, urging customers to apply this new update proactively, assuming that the crooks (whose zero-day had just been rendered useless by the first patch) would also keenly be looking for other ways to break back in:
Unsurprisingly, bugs of a feather often flock together, as we explained in this week’s Naked Security podcast:
[On 2023-06-09, Progress put] another patch out to deal with similar bugs that, as far as they know, the crooks haven’t found yet (but if they look hard enough, they might).
And, as weird as that sounds, when you find that a particular part of your software has a bug of a particular sort, you shouldn’t be surprised if, when you dig deeper…
…you find that the programmer (or the programming team who worked on it at the time that the bug you already know about got introduced) committed similar errors around the same time.
Third time unlucky
Well, lightning struck the same place for the third time in quick succession.
The third time, it seems as though someone performed what’s known in the jargon as a “full disclosure” (where bugs are revealed to the world at the same time as to the vendor, thus giving the vendor no breathing room to publish a patch proactively), or “dropping an 0-day”.
Progress reported:
Today [2023-06-15], a third-party publicly posted a new [SQL injection] vulnerability. We have taken HTTPS traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPS traffic to safeguard their environments while the patch is finalized. We are currently testing the patch and we will update customers shortly.
Simply put, there was a brief zero-day period during which the new vulnerability (CVE-2023-35708) was circulating, but a patch wasn’t yet tested and ready for release.
As Progress has mentioned before, this group of so-called command injection bugs (where you send in what ought to be harmless data that later gets invoked as a server command) can only be triggered via MOVEit’s web-based portal, using HTTP or HTTPS requests.
Fortunately, that meant you didn’t need to shut down your entire MOVEit system to mitigate the bugs before patching them, only web-based access.
What to do?
Quoting from Progress Software’s advice document dated 2023-06-15:
Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
- It is important to note that until HTTP and HTTPS traffic is enabled again:
- Users will not be able to log on to the MOVEit Transfer web UI.
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
- REST, Java and .NET APIs will not work.
- MOVEit Transfer add-in for Outlook will not work.
- SFTP and FTP/s protocols will continue to work as normal
Progress Software’s patch has now been tested and published, so once you’ve applied the new update you can, in theory, turn web access back on…
…though we’d sympathise if you decided to keep it turned of for a while longer, just to be sure, to be sure.
THREAT HUNTING TIPS FOR SOPHOS CUSTOMERS
